diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index 1fbb56ff74..ab4caaef1d 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -29,6 +29,7 @@ Microsoft Edge lets you stay up-to-date through the Windows Store and to manage
| [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) | Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.|
| [Available policies for Microsoft Edge](available-policies.md) | Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.
Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. |
| [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) | If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |
+| [Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. |
## Interoperability goals and enterprise guidance
diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md
index 8b02ce6c70..1e0b12897e 100644
--- a/browsers/edge/TOC.md
+++ b/browsers/edge/TOC.md
@@ -3,4 +3,5 @@
##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)
##[Available policies for Microsoft Edge](available-policies.md)
##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)
+##[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md)
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index 1a79a97be1..60e52629df 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -9,6 +9,11 @@ ms.sitesec: library
# Change history for Microsoft Edge
This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile.
+## June 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |New |
+
## May 2016
|New or changed topic | Description |
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index b0c566fb90..707f375170 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -28,7 +28,7 @@ Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScrip
 **To add sites to your list**
-1. In the Enterprise Mode Site List Manager tool, click **Add**.
If you already have an existing site list, you can import it into the tool. After it's in the tool, the xml updates the list, checking **Open in IE** for each site. For info about importing the site list, see [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](http://go.microsoft.com/fwlink/p/?LinkId=618322).
+1. In the Enterprise Mode Site List Manager, click **Add**.
If you already have an existing site list, you can import it into the tool. After it's in the tool, the xml updates the list, checking **Open in IE** for each site. For info about importing the site list, see [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](http://go.microsoft.com/fwlink/p/?LinkId=618322).
2. Type or paste the URL for the website that’s experiencing compatibility problems, like *<domain>*.com or *<domain>*.com/*<path>* into the **URL** box.
You don’t need to include the `http://` or `https://` designation. The tool will automatically try both versions during validation.
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
new file mode 100644
index 0000000000..9db29bd47d
--- /dev/null
+++ b/browsers/edge/security-enhancements-microsoft-edge.md
@@ -0,0 +1,112 @@
+---
+description: Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
+---
+
+# Security enhancements for Microsoft Edge
+Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
+
+## Help to protect against web-based security threats
+While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking:
+
+- **Trickery.** Means using things like “phishing” attacks to convince a person to enter a banking password into a website that looks like the bank, but isn’t.
+
+- **Hacking.** Means attacking a system through malformed content that exploits subtle flaws in a browser, or in various browser extensions, such as video decoders. This exploit lets an attacker run code on a device, taking over first a browsing session, and perhaps ultimately the entire device.
+
+While trickery and hacking are threats faced by every browser, it’s important that we explore how Microsoft Edge addresses these threats and is helping make the web a safer experience.
+
+### Help against trickery
+Web browsers can help defend your employees against trickery by identifying and blocking known tricks, and by using strong security protocols to ensure that they’re talking to the web site they think they’re talking to.
+
+#### Windows Hello
+Phishing scams get people to enter passwords into a fake version of a trusted website, such as a bank. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success, since attackers are too good at faking legitimate experiences for many people to notice the difference.
+
+To really address this problem, we need to stop people from entering plain-text passwords into websites. So in Windows 10, we gave you [Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/) technology with asymmetric cryptography that authenticates both the person and the website.
+
+Microsoft Edge is the first browser to natively support Windows Hello as a more personal, seamless, and secure way to authenticate on the web, powered by an early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/).
+
+#### Microsoft SmartScreen
+Microsoft SmartScreen, used in Windows 10 and both Internet Explorer 11 and Microsoft Edge, helps to defend against phishing by performing reputation checks on visited sites and blocking any sites that are thought to be phishing sites. SmartScreen also helps to defend people against being tricked into installing malicious [socially-engineered software downloads](http://operationstech.about.com/od/glossary/g/Socially-Engineered-Malware.htm and against [drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/). Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software, and may be hosted on trusted sites.
+
+#### Certificate Reputation system
+While people trust sites that have encrypted web traffic, that trust can be undermined by malicious sites using improperly obtained or fake certificates to impersonate legitimate sites. To help address this problem, we introduced the [Certificate Reputation system](http://blogs.msdn.com/b/ie/archive/2014/03/10/certificate-reputation-a-novel-approach-for-protecting-users-from-fraudulent-certificates.aspx) last year. This year, we’ve extended the system to let web developers use the [Bing Webmaster Tools](http://www.bing.com/toolbox/webmaster) to report directly to Microsoft to let us know about fake certificates.
+
+### Help against hacking
+While Microsoft Edge has done much to help defend against trickery, the browser’s “engine” has also been overhauled to resist hacking (attempts to corrupt the browser itself) including a major overhaul of the DOM representation in the browser’s memory, and the security mitigations described here.
+
+#### Microsoft EdgeHTML and modern web standards
+Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused on modern standards that let web developers build and maintain a consistent site across all modern browsers.
+
+The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features:
+
+- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
+
+- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
+
+ **Note**
+ Both Microsoft Edge and Internet Explorer 11 support HSTS.
+
+#### All web content runs in an app container sandbox
+Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
+
+Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions.
+
+Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time. Because Microsoft Edge doesn’t support 3rd party binary extensions, there’s no reason for it to run outside of the containers, ensuring that Microsoft Edge is more secure.
+
+#### Microsoft Edge is now a 64-bit app
+The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](http://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Windows store apps.
+
+##### 64-bit processes and Address Space Layout Randomization (ASLR)
+Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system.
+
+The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR). ASLR randomizes the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find the sensitive memory components they’re looking for.
+
+#### New extension model and HTML5 support
+Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browser’s processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down.
+
+Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/en-us/microsoft-edge/extensions/).
+
+#### Reduced attack surfaces
+In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/en-us/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible.
+
+Because of the reduced backward compatibility, we’ve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility.
+
+#### Code integrity and image loading restrictions
+Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or being injected into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as, UNC or WebDAV) can’t be loaded.
+
+#### Memory corruption mitigations
+Memory corruption happens most frequently to apps written in C or C++ because those languages don’t provide type safety or buffer overflow protection. Broadly speaking, memory corruption attacks happen when an attacker provides malformed input to a program and the program can’t handle it, corrupting the program’s memory state and allowing the attacker to take control of the program.
+
+Over the years, a broad variety of mitigations have been created around memory corruption, but even as these mitigations roll out, attackers adapt and invent new ways to attack. At the same time, we’ve responded with new memory safety defenses, mitigating the most common new forms of attack, including and especially [use-after-free (UAF)](http://cwe.mitre.org/data/definitions/416.html) vulnerabilities.
+
+##### Memory Garbage Collector (MemGC) mitigation
+MemGC is the replacement for Memory Protector, currently turned on for both Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7 and newer operating systems. MemGC is a memory garbage collection system that helps to defend the browser from UAF vulnerabilities by taking the responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory.
+
+##### Control Flow Guard
+Ultimately, attackers use memory corruption attacks to gain control of the CPU program counter so that they can jump to any code location they want. Control Flow Guard is a Microsoft Visual Studio technology that compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only go to function entry points with known addresses. This makes attacker take-overs much more difficult by severely constraining where a memory corruption attack can jump to.
+
+#### Designed for security
+We’ve spent countless hours reviewing, testing, and using Microsoft Edge to make sure that you’re more protected than ever before.
+
+##### Fuzzing/Static Analysis
+We’ve devoted more than 670 machine-years to fuzz testing Microsoft Edge and Internet Explorer during product development, including monitoring for possible exceptions such as crashes or memory leaks. We’ve also generated more than 400-billion DOM manipulations from 1-billion HTML files. Because of all of this, hundreds of security issues were addressed before the product shipped.
+
+##### Code Review & Penetration Testing
+Over 70 end-to-end security engagements reviewed all key features, helping to address security implementation and design issues before shipping.
+
+##### Windows REDTEAM
+The Windows REDTEAM emulates the techniques and expertise of skilled, real-world attackers. Exploited Microsoft Edge vulnerabilities discovered through penetration testing can be addressed before public discovery and real-world exploits.
+
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
index 8c1b80824c..440e179791 100644
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@@ -26,7 +26,7 @@
###[Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 devices](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md)
###[Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md)
###[Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md)
-###[Use the Enterprise Mode Site List Manager tool](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md)
+###[Use the Enterprise Mode Site List Manager tool](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md)
####[Add sites to the Enterprise Mode site list using the Windows 10 Enterprise Mode Site List Manager tool](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
####[Add sites to the Enterprise Mode site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
####[Add multiple sites to the Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 9066c5205a..76fc4cad35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -2,7 +2,7 @@
description: How to use Group Policy to install ActiveX controls.
ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index 1b86656cdc..2a371e334b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,24 +1,24 @@
---
-description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager tool.
+description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
-title: Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool (Internet Explorer 11 for IT Pros)
+title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
---
-# Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
**Applies to:**
- Windows 8.1
- Windows 7
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager tool. You can only add specific URLs, not Internet or Intranet Zones.
+You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
-If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
+If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
## Create an Enterprise Mode site list (TXT) file
You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
**Important** This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
@@ -37,7 +37,7 @@ bing.com/images
```
## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
-You can create and use a custom XML file with the Enterprise Mode Site List Manager tool to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 devices](enterprise-mode-schema-version-1-guidance.md).
+You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
Each XML file must include:
@@ -48,7 +48,7 @@ Each XML file must include:
- **<docMode> tag.**This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
### Enterprise Mode v.1 XML schema example
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 Update devices](enterprise-mode-schema-version-1-guidance.md).
+The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
```
@@ -75,17 +75,17 @@ The following is an example of what your XML file should look like when you’re
```
-To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool.
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
-## Add multiple sites to the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool
-After you create your .xml or .txt file, you can bulk add the sites to the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool.
+## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
+After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
 **To add multiple sites**
-1. In the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool, click **Bulk add from file**.
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager tool](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
3. Click **OK** to close the **Bulk add sites to the list** menu.
@@ -96,8 +96,8 @@ You can save the file locally or to a network share. However, you must make sure
After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
## Related topics
-- [Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 Update devices](enterprise-mode-schema-version-1-guidance.md)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 16c1a764fb..db61a49c80 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -1,27 +1,31 @@
---
-description: Add multiple sites to your Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool.
+description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2).
ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
-title: Add multiple sites to the Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool (Internet Explorer 11 for IT Pros)
+title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
---
-# Add multiple sites to the Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
**Applies to:**
- Windows 10
+- Windows 8.1
+- Windows 7
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Windows 10 Enterprise Mode Site List Manager tool. You can only add specific URLs, not Internet or Intranet Zones.
+You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones.
-To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Windows 10 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
+To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
## Create an Enterprise Mode site list (TXT) file
-You can create and use a custom text file with the Windows 10 Enterprise Mode Site List Manager tool to add multiple sites to your Enterprise Mode site list at the same time.
**Important:** This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
+You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time.
+
+>**Important:** This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
You must separate each site using commas or carriage returns. For example:
@@ -38,7 +42,7 @@ bing.com/images
## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema
-You can create and use a custom XML file with the Windows 10 Enterprise Mode Site List Manager tool to add multiple sites to your Enterprise Mode site list at the same time.
+You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time.
Each XML file must include:
@@ -50,7 +54,7 @@ Each XML file must include:
### Enterprise Mode v.2 XML schema example
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance for Windows 10 devices](enterprise-mode-schema-version-2-guidance.md).
+The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
```
@@ -81,17 +85,17 @@ In the above example, the following is true:
- contoso.com, and all of its domain paths, can use the default compatibility mode for the site.
-To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Windows 10 Enterprise Mode Site List Manager tool.
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2).
-## Add multiple sites to the Windows 10 Enterprise Mode Site List Manager tool
-After you create your .xml or .txt file, you can bulk add the sites to the Windows 10 Enterprise Mode Site List Manager tool.
+## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2)
+After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2).
 **To add multiple sites**
-1. In the Windows 10 Enterprise Mode Site List Manager tool, click **Bulk add from file**.
+1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**.
2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager tool](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
3. Click **OK** to close the **Bulk add sites to the list** menu.
@@ -102,8 +106,8 @@ You can save the file locally or to a network share. However, you must make sure
After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Enterprise Mode schema v.2 guidance for Windows 10 devices](enterprise-mode-schema-version-2-guidance.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 9f05233368..bb761657fb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -2,14 +2,14 @@
description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
-title: Add sites to the Enterprise Mode site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool (Internet Explorer 11 for IT Pros)
+title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
---
-# Add single sites to the Enterprise Mode site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
**Applies to:**
@@ -19,15 +19,15 @@ title: Add sites to the Enterprise Mode site list using the Windows 7 and Window
Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important** You can only add specific URLs, not Internet or Intranet Zones.
-
**Note** If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
+
**Note** If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
## Adding a site to your compatibility list
-You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager tool.
-
**Note** If you're using Windows 10 and the v.2 version of the Enterprise Mode schema, you'll need to use the Windows 10 Enterprise Mode Site List Manager tool. For more info, see [Add sites to the Enterprise Mode site list using the Windows 10 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
+You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
+
**Note** If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
-  **To add a site to your compatibility list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool**
+  **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
-1. In the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool, click **Add**.
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation.
@@ -51,7 +51,7 @@ You can save the file locally or to a network share. However, you must make sure
After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 098937190a..7ae8e40626 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -2,30 +2,32 @@
description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
-title: Add sites to the Enterprise Mode site list using the Windows 10 Enterprise Mode Site List Manager tool (Internet Explorer 11 for IT Pros)
+title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
---
-# Add single sites to the Enterprise Mode site list using the Windows 10 Enterprise Mode Site List Manager tool
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
**Applies to:**
-- Windows 10
+- Windows 10
+- Windows 8.1
+- Windows 7
Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important** You can only add specific URLs, not Internet or Intranet Zones.
-
**Note** If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the [Add multiple sites to the Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
+
**Note** If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
## Adding a site to your compatibility list
-You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager tool.
-**Note** If you're using Windows 7 and Windows 8.1 or the v.1 version of the Enterprise Mode schema, you'll need to use the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool. For more info, see [Add sites to the Enterprise Mode site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
+You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
+**Note** If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-  **To add a site to your compatibility list using the Windows 10 Enterprise Mode Site List Manager tool**
+  **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)**
-1. In the Windows 10 Enterprise Mode Site List Manager tool, click **Add**.
+1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**.
2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation.
@@ -65,7 +67,7 @@ You can save the file locally or to a network share. However, you must make sure
After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index 17553922a8..35311869b0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -2,7 +2,7 @@
description: Administrative templates and Internet Explorer 11
ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index cc3bd55193..128ec70d49 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -2,7 +2,7 @@
description: Auto configuration and auto proxy problems with Internet Explorer 11
ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: networking
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 7957257207..b2219c09cc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -2,7 +2,7 @@
description: Auto configuration settings for Internet Explorer 11
ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: networking
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index efba636009..4705ca8638 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -2,7 +2,7 @@
description: Auto detect settings Internet Explorer 11
ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: networking
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index 0b26702487..b4de4ac246 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -2,7 +2,7 @@
description: Auto proxy configuration settings for Internet Explorer 11
ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: networking
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index 6a7b6aab93..00ff5c0914 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -2,7 +2,7 @@
description: Browser cache changes and roaming profiles
ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: performance
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index cd0ed579af..90e7030ed4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,7 +1,7 @@
---
title: Change history for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
description: This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10 and Windows 10 Mobile.
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
---
@@ -13,4 +13,4 @@ This topic lists new and updated topics in the Internet Explorer 11 documentatio
|New or changed topic | Description |
|----------------------|-------------|
-|[Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 Update devices](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
\ No newline at end of file
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index e98af43141..0428d2e62b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -2,7 +2,7 @@
description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -13,7 +13,7 @@ title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11
**Applies to:**
-- Windows 10 and later
+- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index 3091bf3593..1ad3d887f4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -2,7 +2,7 @@
description: Choose how to deploy Internet Explorer 11 (IE11)
ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 64f586dc6b..fa044bc3ce 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -2,7 +2,7 @@
description: Choose how to install Internet Explorer 11 (IE11)
ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 4d6f071016..a5b982f662 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -1,7 +1,7 @@
---
description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
author: eross-msft
@@ -13,7 +13,7 @@ title: Collect data using Enterprise Site Discovery
**Applies to:**
- Windows 10
-- Windows 8.1 Update
+- Windows 8.1
- Windows 7 with Service Pack 1 (SP1)
Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
@@ -339,11 +339,11 @@ You can import this XML data into the correct version of the Enterprise Mode Sit
 **To add your XML data to your Enterprise Mode site list**
-1. Open the Enterprise Mode Site List Manager tool, click **File**, and then click **Bulk add from file**.
+1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
2. Go to your XML file to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager tool](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
3. Click **OK** to close the **Bulk add sites to the list** menu.
@@ -378,7 +378,7 @@ You can completely remove the data stored on your employee’s computers.
- `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
## Related topics
-* [Enterprise Mode Site List Manager for Windows 10 download](http://go.microsoft.com/fwlink/?LinkId=746562)
+* [Enterprise Mode Site List Manager (schema v.2) download](http://go.microsoft.com/fwlink/?LinkId=746562)
* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 4349873adf..33f573e4ba 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -2,7 +2,7 @@
description: Create packages for multiple operating systems or languages
ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Create packages for multiple operating systems or languages (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index 64ad245ecd..b2e068e5f8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -2,7 +2,7 @@
description: Customize Internet Explorer 11 installation packages
ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Customize Internet Explorer 11 installation packages (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index ec0a98d0e3..ab440a2332 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -3,7 +3,7 @@ description: Delete a single site from your global Enterprise Mode site list.
title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -27,14 +27,14 @@ The site is permanently removed from your list.
If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system.
-- [Add sites to the Enterprise Mode site list using the Windows 10 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
+- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-- [Add sites to the Enterprise Mode site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
+- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index 9ed8f0efec..e91b8ce485 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -2,7 +2,7 @@
description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
ms.assetid: f51224bd-3371-4551-821d-1d62310e3384
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index 8acd111034..9ba9bc1914 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -2,7 +2,7 @@
description: Deploy Internet Explorer 11 using software distribution tools
ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Deploy Internet Explorer 11 using software distribution tools (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index d0b1a5dd07..cf0f73e234 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -2,7 +2,7 @@
description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013.
ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index de5ddde4e7..77ad3c2aea 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -2,7 +2,7 @@
description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices.
ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 16c7670957..2df84a765e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -1,8 +1,8 @@
---
-description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager tool to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
+description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -19,26 +19,26 @@ title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Ma
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
-You can use Internet Explorer 11 and the Enterprise Mode Site List Manager tool to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
+You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
-If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Windows 10 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
+If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
 **To change how your page renders**
-1. In the Enterprise Mode Site List Manager tool, double-click the site you want to change.
+1. In the Enterprise Mode Site List Manager, double-click the site you want to change.
2. Change the comment or the compatibility mode option.
3. Click **Save** to validate your changes and to add the updated information to your site list.
-If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager tool](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
4. On the **File** menu, click **Save to XML**, and save the updated file.
You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index 5fadb33d2b..ee46784821 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -2,7 +2,7 @@
description: Enable and disable add-ons using administrative templates and group policy
ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index 04d3602bc5..9d30f3ba62 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -2,7 +2,7 @@
description: Enhanced Protected Mode problems with Internet Explorer
ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 5581dc3c60..50970689b7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -1,8 +1,8 @@
---
-description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager tool in your company.
+description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -19,7 +19,7 @@ title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pro
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
-Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager tool in your company.
+Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
## In this section
|Topic |Description |
@@ -27,11 +27,11 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an
|[What is Enterprise Mode?](what-is-enterprise-mode.md) |Includes descriptions of the features of Enterprise Mode. |
|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. |
|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. |
-|[Enterprise Mode schema v.2 guidance for Windows 10 devices](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
-|[Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 devices](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
+|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. |
|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.|
-|[Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md) |Guidance about how to use the Enterprise Mode Site List Manager tool, including how to add and update sites on your site list. |
+|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. |
|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. |
|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 69bf767c22..1e91d25a85 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -1,27 +1,27 @@
---
-description: Use the Enterprise Mode Site List Manager tool to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
+description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
ms.assetid: 17c61547-82e3-48f2-908d-137a71938823
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
-title: Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 Update devices (Internet Explorer 11 for IT Pros)
+title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros)
---
-# Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 Update devices
+# Enterprise Mode schema v.1 guidance
**Applies to:**
- Windows 8.1
- Windows 7
-Use the Enterprise Mode Site List Manager tool to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
+Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
-If you're using a Windows 10-based device, we strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance for Windows 10 devices](enterprise-mode-schema-version-2-guidance.md).
+If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
## Enterprise Mode schema v.1 example
-The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7, Windows 8.1, and Windows 10.
+The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1.
**Important**
Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 43b3031513..88ee4fb670 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -1,24 +1,26 @@
---
-description: Use the Enterprise Mode Site List Manager tool to create and update your Enterprise Mode site list for devices running Windows 10.
+description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
-title: Enterprise Mode schema v.2 guidance for Windows 10-based devices (Internet Explorer 11 for IT Pros)
+title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
---
-# Enterprise Mode schema v.2 guidance for Windows 10-based devices
+# Enterprise Mode schema v.2 guidance
**Applies to:**
- Windows 10
+- Windows 8.1
+- Windows 7
-Use the Enterprise Mode Site List Manager tool to create and update your site list for devices running Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
+Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
**Important**
-These schema updates only apply to devices running Windows 10. For devices running Windows 7 or Windows 8.1, see [Enterprise Mode schema guidance for Windows 7 and Windows 8.1 devices](enterprise-mode-schema-version-1-guidance.md).
+If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
## Enterprise Mode schema v.2 updates
Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by:
@@ -27,7 +29,7 @@ Because of the schema changes, you can't combine the old version (v.1) with the
- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema.
-You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, if you save the v.1 version of the schema in the new Enterprise Mode Site List Manager tool for Windows 10, it will automatically update the file to use the v.2 version of the schema.
+You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, if you save the v.1 version of the schema in the new Enterprise Mode Site List Manager for Windows 10, it will automatically update the file to use the v.2 version of the schema.
### Enterprise Mode v.2 schema example
The following is an example of the v.2 version of the Enterprise Mode schema.
@@ -249,7 +251,7 @@ With:
While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
**Important**
-Saving your v.1 version of the file using the new Enterprise Mode Site List Manager tool for Windows 10 automatically updates the XML to the new v.2 version of the schema.
+Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema.
### What not to include in your schema
We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
@@ -260,7 +262,7 @@ We recommend that you not add any of the following items to your schema because
- Don’t use query strings, ampersands break parsing.
## Related topics
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index 08b19154e2..36e9f65461 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -2,14 +2,14 @@
description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
-title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager tool (Internet Explorer 11 for IT Pros)
+title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
---
-# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager tool
+# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
**Applies to:**
@@ -32,9 +32,9 @@ This file is not intended for distribution to your managed devices. Instead, it
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 54453d9b83..4e146ead03 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -2,7 +2,7 @@
description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site.
ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -46,11 +46,11 @@ If that doesn’t work, continue down to the next lowest document mode, stopping
After you’ve figured out the document mode that fixes your compatibility problems, you can add the site to your Enterprise Mode site list.
**Note**
-There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager tool, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance for Windows 10 devices](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 devices](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md).
+There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md).
 **To add your site to the site list**
-1. Open the Enterprise Mode Site List Manager tool, and click **Add**.
+1. Open the Enterprise Mode Site List Manager, and click **Add**.
@@ -58,13 +58,13 @@ There are two versions of the Enterprise Mode site list schema and the Enterpris
Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11.
**Note**
-For more information about Enterprise Mode, see [What is Enterprise Mode?](what-is-enterprise-mode.md) For more information about the Enterprise Mode Site List Manager tool and how to add sites to your site list, see [Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md).
+For more information about Enterprise Mode, see [What is Enterprise Mode?](what-is-enterprise-mode.md) For more information about the Enterprise Mode Site List Manager and how to add sites to your site list, see [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md).
### Review your Enterprise Mode site list
-Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager tool will look something like:
+Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like:
-
+
And the underlying XML code will look something like:
@@ -92,9 +92,9 @@ By default, IE11 uses the **Display intranet sites in Compatibility View** setti
To help you move forward, you can now use the Enterprise Mode site list to specify sites or web paths to use the IE7 document mode, which goes down to IE5 “Quirks” mode if the page doesn’t have an explicit `DOCTYPE` tag. Using this document mode effectively helps you provide the Compatibility View functionality for single sites or a group of sites, which after thorough testing, can help you turn off Compatibility View as the default setting for your intranet sites.
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index 051b4acaaf..60d261f86c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -2,14 +2,14 @@
description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list.
ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
-title: Fix validation problems using the Enterprise Mode Site List Manager tool (Internet Explorer 11 for IT Pros)
+title: Fix validation problems using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
---
-# Fix validation problems using the Enterprise Mode Site List Manager tool
+# Fix validation problems using the Enterprise Mode Site List Manager
**Applies to:**
@@ -19,7 +19,7 @@ title: Fix validation problems using the Enterprise Mode Site List Manager tool
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
-When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager tool before they’re entered into your global list. If a site doesn’t pass validation, you’ll have a couple of options to address it.
+When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. If a site doesn’t pass validation, you’ll have a couple of options to address it.
There are typically 3 types of errors you’ll see:
@@ -31,9 +31,9 @@ There are typically 3 types of errors you’ll see:
Another possibility is that redirection happens multiple times, with an intermediary site experiencing compatibility issues. For example, an employee types a short URL that then redirects multiple times, finally ending up on a non-intranet site. In this situation, you might want to add the intermediary URLs to your Enterprise Mode site list, in case there’s logic in one of them that has compatibility issues.
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index 5e6bc433cc..699ac6b08f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -2,7 +2,7 @@
description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index d92ab9d3d3..93e3fc0b99 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -2,7 +2,7 @@
description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index 5028bab10d..ec32390c66 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -2,7 +2,7 @@
description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer.
ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index 15b8ee2275..fa923d9b37 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -2,7 +2,7 @@
description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11
ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
index c0c1aad839..35078a3e90 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
@@ -2,7 +2,7 @@
description: Group Policy suggestions for compatibility with Internet Explorer 11
ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index ed982594f5..10f870a052 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -2,7 +2,7 @@
description: Overview of the available Group Policy management tools
ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index 379b8e22f1..1cb342649a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -2,7 +2,7 @@
description: Info about Group Policy preferences versus Group Policy settings
ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index 042bb55c5f..ab3e07bb1c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -2,7 +2,7 @@
description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11.
ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index a358eecd9f..932f43f074 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -2,7 +2,7 @@
description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects.
ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index 6822bdc5ad..a3cf84a188 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -2,7 +2,7 @@
description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11
ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index e504c8029b..78cd0493c7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -2,7 +2,7 @@
description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -33,9 +33,9 @@ Importing your file overwrites everything that’s currently in the tool, so mak
3. Review the alert message about all of your entries being overwritten. If you still want to import the file, click **Yes**.
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 45f8e7349c..26af9a6794 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -2,7 +2,7 @@
description: Use this guide to learn about the several options and processes you'll need to consider while you're planning for, deploying, and customizing Internet Explorer 11 for your employee's devices.
ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
@@ -31,7 +31,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Use IE to collect data on computers running Windows Internet Explorer 8 through IE11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. |
-|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager tool in your company. |
+|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. |
|[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. |
|[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. |
|[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index bd48d3ce11..34618dbf50 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -2,7 +2,7 @@
description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment.
ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Install and Deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 4d84c02d42..dd1116c424 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -2,7 +2,7 @@
description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 3555e507a2..f6560589bc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -2,7 +2,7 @@
description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images.
ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index b7fc1bac1f..d89f7f25bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -2,7 +2,7 @@
description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager
ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index b6d35b63c0..82866d766a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -2,7 +2,7 @@
description: How to install the Internet Explorer 11 update using your network
ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Install Internet Explorer 11 (IE11) using your network (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index 229278982b..a6e2c79c58 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -2,7 +2,7 @@
description: How to install the Internet Explorer 11 update using third-party tools and command-line options.
ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Install Internet Explorer 11 (IE11) using third-party tools (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index fb74106e67..61cf35bf43 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -2,7 +2,7 @@
description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)'
ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 45bd363021..1a16679847 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -2,7 +2,7 @@
description: How to fix potential installation problems with Internet Explorer 11
ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Install problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index c79e0a7a9e..a8d097f152 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -2,7 +2,7 @@
description: How to fix intranet search problems with Internet Explorer 11
ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Fix intranet search problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 8993bbcf38..0f2607cf87 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -2,7 +2,7 @@
description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer.
ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Manage Internet Explorer 11 (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index f3d32fb46c..9e9f124417 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -2,7 +2,7 @@
description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK.
ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
title: Missing Internet Explorer Maintenance settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index c1c70107bb..5dd33850fe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -2,7 +2,7 @@
description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
title: Missing the Compatibility View Button (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 184aee8b3d..e495db7d28 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -2,7 +2,7 @@
description: How to turn managed browser hosting controls back on in Internet Explorer 11.
ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
title: .NET Framework problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 440c91313f..5a056a8d4f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -2,7 +2,7 @@
description: New group policy settings for Internet Explorer 11
ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index d199472eaa..95c8543bf5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -2,7 +2,7 @@
description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use.
ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index c703a74e9f..dfe720a878 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -2,7 +2,7 @@
description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback.
ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
title: Problems after installing Internet Explorer 11 (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 03e34ca328..14a0aa7e47 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -2,7 +2,7 @@
description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -22,7 +22,7 @@ title: Remove all sites from your Enterprise Mode site list using the Enterprise
You can clear all of the sites from your global Enterprise Mode site list.
**Important**
-This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Windows 10 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system.
+This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system.
 **To clear your compatibility list**
@@ -31,9 +31,9 @@ This is a permanent removal and erases everything. However, if you determine it
2. Click **Yes** in the warning message.
Your sites are all cleared from your list.
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 0b1e0e6b69..49b9d38c79 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -2,7 +2,7 @@
description: Instructions about how to remove sites from a local compatibility view list.
ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index 14d587d2eb..caed9d1c1b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -2,7 +2,7 @@
description: Instructions about how to remove sites from a local Enterprise Mode site list.
ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index 20b7daca7a..c22234e870 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -2,7 +2,7 @@
description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -29,9 +29,9 @@ You can save your current Enterprise Mode compatibility site list as an XML file
The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it.
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index fcfcfe5767..51d34e4165 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -2,7 +2,7 @@
description: Search to see if a specific site already appears in your global Enterprise Mode site list.
ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -23,13 +23,13 @@ You can search to see if a specific site already appears in your global Enterpri
 **To search your compatibility list**
-- From the Enterprise Mode Site List Manager tool, type part of the URL into the **Search** box.
+- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 89d6428b85..541477f154 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -2,7 +2,7 @@
description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10.
ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index ae2f3d8cc7..4bbb754737 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -2,7 +2,7 @@
description: Set up and turn on Enterprise Mode logging and data collection in your organization.
ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -27,7 +27,7 @@ The **Let users turn on and use Enterprise Mode from the Tools menu** setting al
-Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
+Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
## Using ASP to collect your data
When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu.
@@ -141,10 +141,10 @@ If you have errors while you’re publishing your project, you should try to upd
You may need to do some additional package cleanup to remove older package versions.
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
- [What is Enterprise Mode?](what-is-enterprise-mode.md)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index bf52290a0c..464be0d98d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -2,7 +2,7 @@
description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11.
ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: appcompat
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index 569a366377..f087763a35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -2,7 +2,7 @@
description: Lists the minimum system requirements and supported languages for Internet Explorer 11.
ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: System requirements and language support for Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 3f743c6747..74b34e10b8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -2,7 +2,7 @@
description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer.
ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
title: Troubleshoot Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 6068c992d8..02aacfd395 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -2,7 +2,7 @@
description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -65,7 +65,7 @@ Enterprise Mode is no longer a user option on the **Tools** menu in IE11. Howeve
- [What is Enterprise Mode?](what-is-enterprise-mode.md)
- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 7dffa89bdd..7789175f6c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -2,7 +2,7 @@
description: Turn off natural metrics for Internet Explorer 11
ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
title: Fix font rendering problems by turning off natural metrics (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 5aaf827d87..b0be90bcc7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -2,7 +2,7 @@
description: How to turn on Enterprise Mode and specify a site list.
ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -27,7 +27,7 @@ We recommend that you store and download your website list from a secure web sev
 **To turn on Enterprise Mode using Group Policy**
1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.
-Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md) topics.
+Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
@@ -49,13 +49,13 @@ Turning this setting on also requires you to create and store a site list. For m
- **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"`
- All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. For information about how to create and use an Enterprise Mode site list, see [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md).
+ All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. For information about how to create and use an Enterprise Mode site list, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md).
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
-- [Add multiple sites to the Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
+- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index e4d18d269f..e6f9fb3380 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -2,7 +2,7 @@
description: Turn on local user control and logging for Enterprise Mode.
ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index a58c9b8903..af3d3cb6a3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -2,7 +2,7 @@
description: High-level info about some of the new and updated features for Internet Explorer 11.
ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md
deleted file mode 100644
index 7d7f5c25dc..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager tool.
-ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
-author: eross-msft
-ms.prod: IE11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
-title: Use the Enterprise Mode Site List Manager tool (Internet Explorer 11 for IT Pros)
----
-
-# Use the Enterprise Mode Site List Manager tool
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-
-You can use IE11 and the Enterprise Mode Site List Manager tool to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
-
-## Enterprise Mode Site List Manager tool versions
-There are currently two versions of the Enterprise Site List Manager tool, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=716853) tool or the [Enterprise Mode Site List Manager for Windows 7 and Windows 8.1](http://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system.
-
-|Operating system |Schema version |Enterprise Site List Manager tool version |
-|-----------------|---------------|------------------------------------|
-|Windows 10 |Enterprise Mode schema, version 2 (v.2)
-OR-
Enterprise Mode schema, version 1 (v.1) |Windows 10 supports both versions of the enterprise mode schema. However, the Windows 10 Enterprise Mode Site List Manager tool only supports the v.2 version of the schema. If you import a v.1 version schema into the Windows 10 Enterprise Mode Site List Manager tool, it will save the XML into the v.2 version of the schema.
For more info about the different schema versions, see [Enterprise Mode schema v.2 guidance for Windows 10 devices](enterprise-mode-schema-version-2-guidance.md) |
-|Windows 7
-OR-
Windows 8.1 |Enterprise Mode schema v.1 |Uses the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool.
For more info about the different schema versions, see [Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 devices](enterprise-mode-schema-version-1-guidance.md) |
-
-## Using the Enterprise Mode Site List Manager tool
-The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager tool.
-
-|Topic |Description |
-|------|------------|
-|[Add sites to the Enterprise Mode site list using the Windows 10 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Windows 10 Enterprise Mode Site List Manager. |
-|[Add sites to the Enterprise Mode site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager. |
-|[Add multiple sites to the Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Windows 10 Enterprise Mode Site List Manager. |
-|[Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager. |
-|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager tool](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.
This topic applies to both versions of the Enterprise Mode Site List Manager tool. |
-|[Fix validation problems using the Enterprise Mode Site List Manager tool](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.
This topic applies to both versions of the Enterprise Mode Site List Manager tool. |
-|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager tool](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.
This topic applies to both versions of the Enterprise Mode Site List Manager tool. |
-|[Save your site list to XML in the Enterprise Mode Site List Manager tool](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.
This topic applies to both versions of the Enterprise Mode Site List Manager tool. |
-|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager tool](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.
This topic applies to both versions of the Enterprise Mode Site List Manager tool. |
-|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager tool](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.
This topic applies to both versions of the Enterprise Mode Site List Manager tool. |
-|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager tool](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.
This topic applies to both versions of the Enterprise Mode Site List Manager tool. |
-|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager tool](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.
This topic applies to both versions of the Enterprise Mode Site List Manager tool. |
-
-## Related topics
-
-
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Enterprise Mode schema v.2 guidance for Windows 10 devices](enterprise-mode-schema-version-2-guidance.md)
-- [Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 devices](enterprise-mode-schema-version-1-guidance.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
new file mode 100644
index 0000000000..07af66b6be
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -0,0 +1,64 @@
+---
+description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager.
+ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
+author: eross-msft
+ms.prod: ie11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: appcompat
+title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+---
+
+# Use the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+
+You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
+
+## Enterprise Mode Site List Manager versions
+There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system.
+
+|Operating system |Schema version |Enterprise Site List Manager version |
+|-----------------|---------------|------------------------------------|
+|Windows 10 |Enterprise Mode schema, version 2 (v.2)
-OR-
Enterprise Mode schema, version 1 (v.1) |Windows 10 supports both versions of the enterprise mode schema. However, the Enterprise Mode Site List Manager (schema v.2) only supports the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), it will save the XML into the v.2 version of the schema.
For more info about the different schema versions, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |
+|Windows 7
-OR-
Windows 8.1 |Enterprise Mode schema v.1 |Uses the Enterprise Mode Site List Manager (schema v.1).
For more info about the different schema versions, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |
+
+## Using the Enterprise Mode Site List Manager
+The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager.
+
+|Topic |Description |
+|------|------------|
+|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). |
+|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). |
+|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). |
+|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). |
+|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+
+## Related topics
+
+
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)
+- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 0e1533193e..2166cdd0e0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -2,7 +2,7 @@
description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went.
ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
title: User interface problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index b47ac2397c..bf9b76e571 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -2,7 +2,7 @@
description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -32,20 +32,20 @@ Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the
## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode
For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see:
-- [Add single sites to the Enterprise Mode site list using the Windows 10 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
+- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-- [Add single sites to the Enterprise Mode site list using the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
+- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-- [Add multiple sites to the Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
+- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
-- [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and Windows 8.1 Enterprise Mode Site List Manager tool](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
+- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
## Related topics
-- [Download the Enterprise Mode Site List Manager for Windows 10 tool](http://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 tool](http://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager tool](use-the-enterprise-mode-site-list-manager-tool.md)
+- [Download the Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 43d7ddb582..949cd32611 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -2,7 +2,7 @@
description: How to use IEAK 11 while planning, customizing, and building the custom installation package.
ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index b0ec5657e5..d8790ddf45 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -2,7 +2,7 @@
description: How to use Setup Information (.inf) files to create installation packages.
ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Using Setup Information (.inf) files to create packages (Internet Explorer 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index eef5dd2a0f..ad843a3a06 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -2,7 +2,7 @@
description: Virtualization and compatibility with Internet Explorer 11
ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: virtualization
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index af00defb04..2e952c7915 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -2,7 +2,7 @@
description: Info about the features included in Enterprise Mode with Internet Explorer 11.
ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
@@ -29,8 +29,8 @@ Enterprise Mode includes the following features:
- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting a number of site patterns that aren’t currently supported by existing document modes.
-- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager tool to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.
-Download the [Enterprise Mode Site List Manager for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=716853) tool or the [Enterprise Mode Site List Manager for Windows 7 and Windows 8.1](http://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system and schema.
+- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.
+Download the [Enterprise Mode Site List Manager (schema v.2)](http://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](http://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema.
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the **Tools** menu and to decide whether the Enterprise browser profile appears on the **Emulation** tab of the F12 developer tools.
**Important** All centrally-made decisions override any locally-made choices.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index b2bde8e6b2..af8996de35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -2,7 +2,7 @@
description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update.
ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: security
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index f2de81a8e7..af8d54f7b2 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -2,14 +2,14 @@
description: Frequently asked questions about Internet Explorer 11 for IT Pros
ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: explore
ms.sitesec: library
title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros)
---
# Internet Explorer 11 - FAQ for IT Pros
-Answering frequently asked questions about Internet Explorer 11 features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
+Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
## Frequently Asked Questions
@@ -79,7 +79,7 @@ For more information, see [Turn on Enterprise Mode and use a site list](../ie11-
**Q: What is the Enterprise Mode Site List Manager tool?**
Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.
-For more information, see all of the topics in [Use the Enterprise Mode Site List Manager tool](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md).
+For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md).
**Q: Are browser plug-ins supported in IE11?**
The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](http://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight.
@@ -145,12 +145,4 @@ Group Policy settings can be set to open either IE or Internet Explorer for the
## Related topics
- [Microsoft Edge - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?LinkId=760643)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
-
-
-
-
-
-
-
-
+- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index cb7f5b4a37..a72ab5e2d6 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices.
ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Accelerators page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 72ed33acca..1c7812e8fc 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -2,7 +2,7 @@
description: How to use IEAK 11 to add and approve ActiveX controls for your organization.
ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Add and approve ActiveX controls using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
index 31db2d0a4d..0a3b15979e 100644
--- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
ms.assetid: 7ae4e747-49d2-4551-8790-46a61b5fe838
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Add a Root Certificate page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index 75c98afa39..f6aede477d 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security.
ms.assetid: c90054af-7b7f-4b00-b55b-5e5569f65f25
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Additional Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index 1b2983cc37..cb2f3af34a 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE.
ms.assetid: de5b1dbf-6e4d-4f86-ae08-932f14e606b0
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Automatic Configuration page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index c2ef84d040..a33c77cae8 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -2,7 +2,7 @@
description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization.
ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Set up auto detection for DHCP or DNS servers using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index 4fb6d2efda..62239b4d46 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard.
ms.assetid: bfc7685f-843b-49c3-8b9b-07e69705840c
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Automatic Version Synchronization page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
index 76dc99175d..ff5b52268c 100644
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
@@ -2,7 +2,7 @@
description: A list of steps to follow before you start to create your custom browser installation packages.
ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
index 104a343b04..dac3198b66 100644
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package.
ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Branding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index 4ae4b5d94c..fa8d449cf1 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar.
ms.assetid: c4a18dcd-2e9c-4b5b-bcc5-9b9361a79f0d
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Browser User Interface page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
index ef6ada866a..dea816e8c3 100644
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons.
ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index 4d154531e9..234b5314b8 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section.
ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e
author: eross-msft
-ms.prod: IE111
+ms.prod: ie111
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
index 90fa7ad61c..d5d956d65f 100644
--- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps.
ms.assetid: 098707e9-d712-4297-ac68-7d910ca8f43b
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the CabSigning .INS file to customize the digital signature info for your apps (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
index 738a171960..623ebff701 100644
--- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11.
ms.assetid: 51d8f80e-93a5-41e4-9478-b8321458bc30
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: appcompat
diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
index b0c69e3ce4..ae61348d3f 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11.
ms.assetid: 1edaa7db-cf6b-4f94-b65f-0feff3d4081a
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Connection Manager page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 580fa77c82..3ff0ad3e5d 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers.
ms.assetid: dc93ebf7-37dc-47c7-adc3-067d07de8b78
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Connection Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
index bfca5d8bf1..63ebc27054 100644
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package.
ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Use the ConnectionSettings .INS file to review the network connections for install (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
index 83898cb819..6b52865341 100644
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
@@ -2,7 +2,7 @@
description: How to create your folder structure on the computer that you’ll use to build your custom browser package.
ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Create the build computer folder structure using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
index 511e2c0e8c..027de7e6c3 100644
--- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
@@ -2,7 +2,7 @@
description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages.
ms.assetid: fe71c603-bf07-41e1-a477-ade5b28c9fb3
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Tasks and references to consider before creating and deploying custom packages using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index be4db58577..6a0431b323 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -2,7 +2,7 @@
description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package.
ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Create multiple versions of your custom package using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index 505ed2cd71..cb69adb1be 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -2,7 +2,7 @@
description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages.
ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use Setup information (.inf) files to uninstall custom components (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index e728919ec3..454afe5dde 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE.
ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Custom Components page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index 76e8a2240e..223eb8bbfe 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file.
ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Use the CustomBranding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 8cf0734498..def77f424a 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -2,7 +2,7 @@
description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages.
ms.assetid: 694e2f92-5e08-49dc-b83f-677d61fa918a
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: manage
ms.sitesec: library
title: Customize Automatic Search using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
index 1788f031f5..8c39fcada8 100644
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components.
ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the ExtRegInf .INS file to specify your installation files and mode (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index 602a550acb..27fbfbed18 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package.
ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
index 96fcc8e8ee..b85f2f805e 100644
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs.
ms.assetid: 55de376a-d442-478e-8978-3b064407b631
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the FavoritesEx .INS file for your Favorites icon and URLs (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index 1a9b070c08..0fea681fea 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company.
ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index 7e68c311e2..a04ce46b84 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders.
ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the File Locations page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
index e45ff2b965..3d717ed9ce 100644
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
@@ -2,7 +2,7 @@
description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11).
ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: File types used or created by IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index 49faeab3db..67cc64816d 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system.
ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
index 84f13dc2b4..ccb24ecb0d 100644
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
@@ -2,7 +2,7 @@
description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons.
ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Customize the toolbar button and Favorites List icons using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
index 6e89320523..4e453ca996 100644
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
@@ -2,7 +2,7 @@
description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11.
ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Hardware and software requirements for Internet Explorer 11 and the IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index ca0b357491..3e42c5a20a 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component.
ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the HideCustom .INS file to hide the GUID for each custom component (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
index 7c56d3c908..87f73061b5 100644
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
@@ -2,7 +2,7 @@
description: Reference about the command-line options and return codes for Internet Explorer Setup.
ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Internet Explorer Setup command-line options and return codes (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md b/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md
index ad2545adab..d21dc1f28f 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md
@@ -3,7 +3,7 @@ description: Use this guide to learn about the several options and processes you
description: IEAK 11 - Internet Explorer Administration Kit 11 Users Guide
ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
index 6c07425f39..0073e17a2c 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
@@ -2,7 +2,7 @@
description: Review the options available to help you customize your browser install packages for deployment to your employee's devices.
ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index ffc752653d..86d40fa16e 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -2,7 +2,7 @@
description: Reference about the command-line options for the IExpress Wizard.
ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: IExpress Wizard command-line options (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
index b68be846c4..d6b43635ee 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
@@ -2,7 +2,7 @@
description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program.
ms.assetid: 5100886d-ec88-4c1c-8cd7-be00da874c57
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: IExpress Wizard for Windows Server 2008 R2 with SP1 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 4fed1bb8e3..b58454d722 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE.
ms.assetid: 19e34879-ba9d-41bf-806a-3b9b9b752fc1
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 50ad74973f..583bc698fd 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -3,7 +3,7 @@ description: Use this guide to learn about the several options and processes you
description: IEAK 11 - Internet Explorer Administration Kit 11 Users Guide
ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index 1c1084b3b4..7718f63678 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates.
ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Internal Install page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
index 78b53aa52d..5971510317 100644
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package.
ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the ISP_Security .INS file to add your root certificate (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index 8f0dbbf019..7aed4e8eb9 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the lanaguage for your IEAK 11 custom package.
ms.assetid: f9d4ab57-9b1d-4cbc-9398-63f4938df1f6
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Language Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index d70d890c6a..d1a1939d26 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -2,7 +2,7 @@
description: Learn about which version of the IEAK 11 you should run, based on your license agreement.
ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
index a22367e75a..4144e944ad 100644
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available.
ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Media .INS file to specify your install media (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index 8664e6a89a..02d75e4a77 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package.
ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Package Type Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index 4fc4dd9383..345e690dd9 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index 96e2f2f4e6..ee0f635579 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -2,7 +2,7 @@
description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network.
ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Before you install your package over your network using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 939a312ac0..b1bd1220ef 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index 5daee8a8e7..931dc09282 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -2,7 +2,7 @@
description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL.
ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use proxy auto-configuration (.pac) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
index 4e25248bb8..902b4c3cd9 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server.
ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Proxy .INS file to specify a proxy server (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index 1819df835f..9f9c0ed357 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services.
ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Proxy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
index e22d35a59d..c047eef68c 100644
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
@@ -2,7 +2,7 @@
description: Learn how to register an uninstall app for your custom components, using IEAK 11.
ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
title: Register an uninstall app for custom components using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
---
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index 9eecc45456..789f64a8b7 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -2,7 +2,7 @@
description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings.
ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: manage
ms.sitesec: library
title: Use the RSoP snap-in to review policy settings (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index a1b260bac0..bd5e4c8c12 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default.
ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Search Providers page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
index 8748c56bfd..5802534823 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
@@ -2,7 +2,7 @@
description: Learn about the security features available in Internet Explorer 11 and IEAK 11.
ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: plan
ms.sitesec: library
title: Security features and IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index e36546ea57..77a5c40dbf 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings.
ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Security and Privacy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
index abcbaa3104..733b53831c 100644
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package.
ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Security Imports .INS file to import security info (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index 727791bcf7..6d83d55a3e 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -2,7 +2,7 @@
description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package.
ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: support
ms.sitesec: library
title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
index 75592cae6b..853199a71b 100644
--- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
@@ -2,7 +2,7 @@
description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index 81851bde4a..0027d5ce6d 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
index f4b16976e2..d08e772fa9 100644
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
@@ -2,7 +2,7 @@
description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
index 785440983b..9c4b3bea88 100644
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
@@ -2,7 +2,7 @@
description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
author: eross-msft
-ms.prod: IE11
+ms.prod: ie11
ms.mktglfcycl: deploy
ms.sitesec: library
title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 57c833cdd0..485c432a26 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -27,6 +27,7 @@
#### [Monitor your Surface Hub](monitor-surface-hub.md)
#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
+#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
#### [Using a room control system](use-room-control-system-with-surface-hub.md)
#### [Windows updates](manage-windows-updates-for-surface-hub.md)
#### [Wireless network management](wireless-network-management-for-surface-hub.md)
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 11b73eecdf..4c4b6a6425 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -2,7 +2,11 @@
title: Accessibility (Surface Hub)
description: Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.
ms.assetid: 1D44723B-1162-4DF6-99A2-8A3F24443442
-keywords: ["Accessibility settings", "Settings app", "Ease of Access"]
+keywords: Accessibility settings, Settings app, Ease of Access
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surfacehub
+ms.sitesec: library
author: TrudyHa
---
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 170f3d1be5..daab251d41 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -2,7 +2,11 @@
title: Admin group management (Surface Hub)
description: Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device.
ms.assetid: FA67209E-B355-4333-B903-482C4A3BDCCE
-keywords: ["admin group management", "Settings app", "configure Surface Hub"]
+keywords: admin group management, Settings app, configure Surface Hub
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub, security
author: TrudyHa
---
@@ -31,11 +35,11 @@ Note that the local admin account information is not backed by any directory ser
You can set a security group from your domain as local administrators on the Surface Hub after you domain join the device to AD. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. Anyone who is a member of that security group can enter their credentials and unlock Settings.
-**Note** Surface Hubs domain join for the single purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
+>**Note** Surface Hubs domain join for the single purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
-**Note** If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, reset the device first.
+>**Note** If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, reset the device first.
@@ -43,7 +47,7 @@ You can set a security group from your domain as local administrators on the Sur
You can set up IT pros from your Azure AD organization as local administrators on the Surface Hub after you join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you successfully join Azure AD, the appropriate people will be set as local admins on the device. Any user who was set up as a local admin as a result of this process can enter their credentials and unlock the Settings app.
-**Note** If your Azure AD organization is configured with mobile device management (MDM) enrollment, Surface Hubs will be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be managed using the MDM solution that your organization uses.
+>**Note** If your Azure AD organization is configured with mobile device management (MDM) enrollment, Surface Hubs will be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be managed using the MDM solution that your organization uses.
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index e1bce22bd9..a388fc0cca 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -2,7 +2,11 @@
title: Appendix PowerShell (Surface Hub)
description: PowerShell scripts to help set up and manage your Microsoft Surface Hub .
ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
-keywords: ["PowerShell", "set up Surface Hub", "manage Surface Hub"]
+keywords: PowerShell, set up Surface Hub, manage Surface Hub
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -38,7 +42,7 @@ What do you need in order to run the scripts?
- Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers.
- Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers.
-**Note** Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
+>**Note** Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
@@ -1669,7 +1673,7 @@ Set-CalendarProcessing $ strRoomUpn -AutomateProcessing AutoAccept
For a device account to accept external meeting requests (a meeting request from an account not in the same tenant/domain), the device account must be set to allow processing of external meeting requests. Once set, the device account will automatically accept or decline meeting requests from external accounts as well as local accounts.
-**Note** If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect.
+>**Note** If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect.
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index 6a123919fd..8712782546 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -2,7 +2,11 @@
title: Applying ActiveSync policies to device accounts (Surface Hub)
description: The Microsoft Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.
ms.assetid: FAABBA74-3088-4275-B58E-EC1070F4D110
-keywords: ["Surface Hub", "ActiveSync policies"]
+keywords: Surface Hub, ActiveSync policies
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 44ad0b01d5..0760c66e33 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -2,7 +2,11 @@
title: Change the Microsoft Surface Hub device account
description: You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.
ms.assetid: AFC43043-3319-44BC-9310-29B1F375E672
-keywords: ["change device account", "change properties", "Surface Hub"]
+keywords: change device account, change properties, Surface Hub
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index cc608f499b..35d14c4df5 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -1,8 +1,11 @@
---
title: Connect other devices and display with Surface Hub
description: You can connect other device to your Surface Hub to display content. This topic describes guest mode and replacement PC modes that is available through a wired connection.
-Robots: noindex, nofollow
ms.assetid: 8BB80FA3-D364-4A90-B72B-65F0F0FC1F0D
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 084758aa68..a39e64d4cc 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -2,7 +2,11 @@
title: Create a device account using UI (Surface Hub)
description: If you prefer to use a graphical user interface, you can create a device account for your Microsoft Surface Hub with either the Office 365 UI or the Exchange Admin Center.
ms.assetid: D11BCDC4-DABA-4B9A-9ECB-58E02CC8218C
-keywords: ["create device account", "Office 365 UI", "Exchange Admin center", "Office 365 admin center", "Skype for Business", "mobile device mailbox policy"]
+keywords: create device account, Office 365 UI, Exchange Admin center, Office 365 admin center, Skype for Business, mobile device mailbox policy
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -264,7 +268,7 @@ You can use the Exchange Admin Center to create a device account:
### Create a mobile device mailbox policy from the Exchange Admin Center
-**Note** If you want to create and assign a policy to the account you created, and are using Exchange 2010, look up the corresponding information regarding policy creation and policy assignment when using the EMC (Exchange management console).
+>**Note** If you want to create and assign a policy to the account you created, and are using Exchange 2010, look up the corresponding information regarding policy creation and policy assignment when using the EMC (Exchange management console).
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index ae3b772bd4..d63259487e 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -2,7 +2,11 @@
title: Create and test a device account (Surface Hub)
description: This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
ms.assetid: C8605B5F-2178-4C3A-B4E0-CE32C70ECF67
-keywords: ["create and test device account", "device account", "Surface Hub and Microsoft Exchange", "Surface Hub and Skype"]
+keywords: create and test device account, device account, Surface Hub and Microsoft Exchange, Surface Hub and Skype
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -19,7 +23,7 @@ A "device account" is an account that the Microsoft Surface Hub uses to:
People can book this account by scheduling a meeting with it. The Surface Hub will be able to join that meeting and provide various features to the meeting attendees.
-**Important** Without a device account, none of these features will work.
+>**Important** Without a device account, none of these features will work.
diff --git a/devices/surface-hub/device-reset-suface-hub.md b/devices/surface-hub/device-reset-suface-hub.md
index 449deca360..e4f36616da 100644
--- a/devices/surface-hub/device-reset-suface-hub.md
+++ b/devices/surface-hub/device-reset-suface-hub.md
@@ -2,7 +2,11 @@
title: Device reset (Surface Hub)
description: You may wish to reset your Microsoft Surface Hub.
ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
-keywords: ["reset Surface Hub"]
+keywords: reset Surface Hub
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index a9a913e3bd..f2264e2d63 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -2,7 +2,11 @@
title: Microsoft Exchange properties (Surface Hub)
description: Some Microsoft Exchange properties of the device account must be set to particular values to have the best meeting experience on Microsoft Surface Hub.
ms.assetid: 3E84393B-C425-45BF-95A6-D6502BA1BF29
-keywords: ["Microsoft Exchange properties", "device account", "Surface Hub", "Windows PowerShell cmdlet"]
+keywords: Microsoft Exchange properties, device account, Surface Hub, Windows PowerShell cmdlet
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 4a45985296..da4eafbf85 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -2,7 +2,11 @@
title: First-run program (Surface Hub)
description: The term \ 0034;first run \ 0034; refers to the series of steps you'll go through the first time you power up your Microsoft Surface Hub, and means the same thing as \ 0034;out-of-box experience \ 0034; (OOBE). This section will walk you through the process.
ms.assetid: 07C9E84C-1245-4511-B3B3-75939AD57C49
-keywords: ["first run", "Surface Hub", "out-of-box experience", "OOBE"]
+keywords: first run, Surface Hub, out-of-box experience, OOBE
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -29,7 +33,7 @@ The normal procedure goes through six steps:
Each of these sections also contains information about paths you might take when something is different. For example, most Surface Hubs will use a wired network connection, but some of them will be set up with wireless instead. Details are described where appropriate.
-**Note** You should have the separate keyboard that came with your Surface Hub set up and ready before beginning. See the Surface Hub Setup Guide for details.
+>**Note** You should have the separate keyboard that came with your Surface Hub set up and ready before beginning. See the Surface Hub Setup Guide for details.
@@ -38,7 +42,7 @@ Each of these sections also contains information about paths you might take when
This is the first screen you'll see when you power up the Surface Hub for the first time. It's where you input localization information for your device.
-**Note** This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
+>**Note** This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
@@ -55,7 +59,7 @@ If the default values shown are correct, then you can click **Next** to go on. O
### What happens?
-**Note** Once the settings on this page are entered, you can't come back to this screen unless you reset the device (see [Device reset](device-reset-suface-hub.md)). Make sure that the settings are properly configured before proceeding.
+>**Note** Once the settings on this page are entered, you can't come back to this screen unless you reset the device (see [Device reset](device-reset-suface-hub.md)). Make sure that the settings are properly configured before proceeding.
@@ -136,7 +140,7 @@ When you click **Next**, the device will attempt to connect to the proxy server.
You can skip connecting to a network by selecting **Skip this step**. You'll be taken to the [Set up for you page](#set-up-for-you).
-**Note** If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including things like email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)).
+>**Note** If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including things like email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)).
@@ -162,7 +166,7 @@ The settings shown on the page have already been made, and can't be changed unti
On this page, the Surface Hub will ask for credentials for the device account that you previously configured. (See [Create and test a device account](create-and-test-a-device-account-surface-hub.md).) The Surface Hub will attempt to discover various properties of the account, and may ask for more information on another page if it does not succeed.
-**Note** This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors.
+>**Note** This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors.
@@ -299,7 +303,7 @@ On this page, you will choose from several options for how you want to set up ad
Because every Surface Hub can be used by any number of authenticated employees, settings are locked down so that they can't change from session to session. Only admins can configure the settings on the device, and on this page, you’ll choose which type of admins have that privilege.
-**Note** The purpose of this page is primarily to determine who can configure the device from the device’s UI; that is, who can actually visit a device, log in, open up the Settings app, and make changes to the Settings.
+>**Note** The purpose of this page is primarily to determine who can configure the device from the device’s UI; that is, who can actually visit a device, log in, open up the Settings app, and make changes to the Settings.
@@ -331,7 +335,7 @@ This is what happens when you choose an option.
Note that a local admin must have physical access to the Surface Hub to log in.
-**Note** After you finish this process, you won't be able to change the device's admin option unless you reset the device.
+>**Note** After you finish this process, you won't be able to change the device's admin option unless you reset the device.
@@ -389,7 +393,7 @@ Using the provided domain, account credentials from the [Use Active Directory Do
If the join is successful, you'll see the **Enter a security group** page. When you click the **Select** button on this page, the device will search for the specified security group on your domain. If found, the group will be verified. Click **Finish** to complete the first run process.
-**Note** If you domain join the Surface Hub, you can't unjoin the device without resetting it.
+>**Note** If you domain join the Surface Hub, you can't unjoin the device without resetting it.
@@ -414,7 +418,7 @@ This page will attempt to create a new admin account using the credentials that
## Update the Surface Hub
-**Important** Before you do the updates, make sure you read [Save your BitLocker key](save-bitlocker-key-surface-hub.md) in order to make sure you have a backup of the key.
+>**Important** Before you do the updates, make sure you read [Save your BitLocker key](save-bitlocker-key-surface-hub.md) in order to make sure you have a backup of the key.
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index 4fa0401135..482dce9fa8 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -2,7 +2,11 @@
title: Hybrid deployment (Surface Hub)
description: A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub.
ms.assetid: 7BFBB7BE-F587-422E-9CE4-C9DDF829E4F1
-keywords: ["hybrid deployment", "device account for Surface Hub", "Exchange hosted on-prem", "Exchange hosted online"]
+keywords: hybrid deployment, device account for Surface Hub, Exchange hosted on-prem, Exchange hosted online
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -21,7 +25,7 @@ Use this procedure if you use Exchange on-prem.
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
- **Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
+ >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
@@ -147,7 +151,7 @@ Use this procedure if you use Exchange on-prem.
- Click **Save**.
- **Note** You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+ >**Note** You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
@@ -223,7 +227,7 @@ Use this procedure if you use Exchange online.
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
- **Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
+ >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
@@ -306,6 +310,6 @@ Use this procedure if you use Exchange online.
- Click **Save**.
- **Note** You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+ >**Note** You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
\ No newline at end of file
diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
index 137667385b..db6e9ddd5f 100644
--- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
+++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
@@ -2,6 +2,10 @@
title: I am done - ending a Surface Hub meeting
description: To end a Surface Hub meeting, tap I am Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.
keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/images/room-control-wiring-diagram.png b/devices/surface-hub/images/room-control-wiring-diagram.png
new file mode 100644
index 0000000000..5a2ecf613e
Binary files /dev/null and b/devices/surface-hub/images/room-control-wiring-diagram.png differ
diff --git a/devices/surface-hub/images/system-settings-add-fqdn.png b/devices/surface-hub/images/system-settings-add-fqdn.png
new file mode 100644
index 0000000000..011d4a41f7
Binary files /dev/null and b/devices/surface-hub/images/system-settings-add-fqdn.png differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index f60a86c42a..f526e77791 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -2,6 +2,10 @@
title: Microsoft Surface Hub
description: Documents related to the Microsoft Surface Hub.
ms.assetid: 69C99E91-1441-4318-BCAF-FE8207420555
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index fb6bd9e507..2e6754e6cc 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -2,7 +2,11 @@
title: Install apps on your Microsoft Surface Hub
description: Admins can install apps can from either the Windows Store or the Windows Store for Business.
ms.assetid: 3885CB45-D496-4424-8533-C9E3D0EDFD94
-keywords: ["install apps", "Windows Store", "Windows Store for Business"]
+keywords: [install apps, Windows Store, Windows Store for Business
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub, store
author: TrudyHa
---
diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md
index dcfea76b5b..584dc26a5e 100644
--- a/devices/surface-hub/intro-to-surface-hub.md
+++ b/devices/surface-hub/intro-to-surface-hub.md
@@ -2,7 +2,11 @@
title: Intro to Microsoft Surface Hub
description: Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations.
ms.assetid: 5DAD4489-81CF-47ED-9567-A798B90C7E76
-keywords: ["Surface Hub", "productivity", "collaboration", "presentations", "setup"]
+keywords: Surface Hub, productivity, collaboration, presentations, setup
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
index 17628909b6..59a5eb9898 100644
--- a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
@@ -2,7 +2,11 @@
title: Manage settings with a local admin account (Surface Hub)
description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679
-keywords: ["local admin account", "Surface Hub", "change local admin options"]
+keywords: local admin account, Surface Hub, change local admin options
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -83,7 +87,7 @@ To create a local admin, choose to use a local admin during first run. This will
After you domain join the device, you can set up a security group from your domain as local administrators on the Surface Hub. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. When the Setting app is opened, any user who is a member of that security group can enter their credentials and unlock Settings.
-**Note** Surface Hubs domain join for the sole purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
+>**Note** Surface Hubs domain join for the sole purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
@@ -96,7 +100,7 @@ Otherwise, if you don’t want to use the device account to join Azure AD, you c
- The org account of an admin who will manage the device, or
- A separate account that is part of your organization and used only for joining Surface Hubs.
-**Note** If your Azure AD organization is also configured with MDM enrollment, Surface Hubs will also be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be widely managed using an MDM solution, which opts these devices into remote management. You may want to choose an account to join Azure AD that benefits how you manage devices—you find more info about this in the [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm) section.
+>**Note** If your Azure AD organization is also configured with MDM enrollment, Surface Hubs will also be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be widely managed using an MDM solution, which opts these devices into remote management. You may want to choose an account to join Azure AD that benefits how you manage devices—you find more info about this in the [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm) section.
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index b5d58ebb5f..061bfada43 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -2,7 +2,11 @@
title: Manage settings with an MDM provider (Surface Hub)
description: Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
ms.assetid: 18EB8464-6E22-479D-B0C3-21C4ADD168FE
-keywords: ["mobile device managemen", "MDM", "manage policies"]
+keywords: mobile device management, MDM, manage policies
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub, mobility
author: TrudyHa
---
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 213492014b..7baf06e0be 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -2,7 +2,11 @@
title: Manage Microsoft Surface Hub
description: How to manage your Surface Hub after finishing the first-run program.
ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1
-keywords: ["manage Surface Hub"]
+keywords: manage Surface Hub
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -25,7 +29,7 @@ For remotely-managed devices, the device must be enrolled into an MDM solution,
Be aware that the two management methods are not mutually exclusive—every device will have the capability to be locally managed, and devices can be remotely managed if you choose.
-**Note** If a device is remotely managed, then any changes to local settings that are also remotely managed will only persist until the next time your Surface Hub syncs with your MDM solution. Once a sync occurs, the settings and policies defined on your MDM solution will be pushed to the device, overwriting the local changes.
+>**Note** If a device is remotely managed, then any changes to local settings that are also remotely managed will only persist until the next time your Surface Hub syncs with your MDM solution. Once a sync occurs, the settings and policies defined on your MDM solution will be pushed to the device, overwriting the local changes.
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index d97e75cffd..fdf19039e5 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -2,7 +2,11 @@
title: Windows updates (Surface Hub)
description: You can manage Windows updates on your Microsoft Surface Hub by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS).
ms.assetid: A737BD50-2D36-4DE5-A604-55053D549045
-keywords: ["manage Windows updates", "Surface Hub", "Windows Server Update Services", "WSUS"]
+keywords: manage Windows updates, Surface Hub, Windows Server Update Services, WSUS
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -20,7 +24,7 @@ A default maintenance window is set for all new Surface Hubs:
Most Windows updates are downloaded and installed automatically by Surface Hub. You can change the maintenance window to limit when the device can be automatically rebooted after a Windows update installation. For those updates that require a reboot of the device, the update installation will be postponed until the maintenance window begins. If a meeting is scheduled to start during the maintenance window, or if the Surface Hub sensors detect that the device is being used, the pending installation will be postponed to the next maintenance window.
-**Note** : If an update installation has been pending for 28 days, on the 28th day the update will be forcibly installed. The device will ignore meetings or sensor status and reboot during the maintenance window.
+>**Note**: If an update installation has been pending for 28 days, on the 28th day the update will be forcibly installed. The device will ignore meetings or sensor status and reboot during the maintenance window.
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index d27435da83..2055b8369d 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -2,7 +2,11 @@
title: Monitor your Microsoft Surface Hub
description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
ms.assetid: 1D2ED317-DFD9-423D-B525-B16C2B9D6942
-keywords: ["monitor Surface Hub", "Microsoft Operations Management Suite", "OMS"]
+keywords: monitor Surface Hub, Microsoft Operations Management Suite, OMS
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 1c2f707abd..03fc4981b1 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -2,7 +2,11 @@
title: On-premises deployment (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
-keywords: ["single forest deployment", "on prem deployment", "device account", "Surface Hub"]
+keywords: single forest deployment, on prem deployment, device account, Surface Hub
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 1afd55621a..f3d9942ade 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -2,7 +2,11 @@
title: Online deployment with Office 365 (Surface Hub)
description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment.
ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1
-keywords: ["device account for Surface Hub", "online deployment"]
+keywords: device account for Surface Hub, online deployment
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -53,7 +57,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```PowerShell
Set-Mailbox $acctUpn -Type Regular
- Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy
+ Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy.Id
Set-Mailbox $acctUpn -Type Room
Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
```
@@ -62,7 +66,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```PowerShell
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
- Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!"
+ Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. Connect to Azure AD.
@@ -134,8 +138,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
- In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
- Click **Save** and you're done.
-**Note**
-It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+>**Note**: It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index 0f413f86d6..58fc3a9004 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -2,7 +2,11 @@
title: Password management (Surface Hub)
description: Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device.
ms.assetid: 0FBFB546-05F0-430E-905E-87111046E4B8
-keywords: ["password", "password management", "password rotation", "device account"]
+keywords: password, password management, password rotation, device account
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub, security
author: TrudyHa
---
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index e576286f28..2a95ec05e4 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -2,7 +2,11 @@
title: Physically install Microsoft Surface Hub
description: The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation.
ms.assetid: C764DBFB-429B-4B29-B4E8-D7F0073BC554
-keywords: ["Surface Hub", "readiness guide", "installation location", "mounting options"]
+keywords: Surface Hub, readiness guide, installation location, mounting options
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub, readiness
author: TrudyHa
---
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index bca63b0847..8656c33064 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -2,7 +2,11 @@
title: Prepare your environment for Microsoft Surface Hub
description: This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub.
ms.assetid: 336A206C-5893-413E-A270-61BFF3DF7DA9
-keywords: ["prepare environment", "features of Surface Hub", "create and test device account", "check network availability"]
+keywords: prepare environment, features of Surface Hub, create and test device account, check network availability
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
index 8a4eb488f1..f3ecf5f2d4 100644
--- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
@@ -2,7 +2,11 @@
title: Create provisioning packages (Surface Hub)
description: For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
-keywords: ["add certificate", "provisioning package"]
+keywords: add certificate, provisioning package
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -34,7 +38,7 @@ Currently, you can use provisioning packages to install certificates and to inst
You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps).
-**Note** Provisioning can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, you must use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
+>**Note** Provisioning can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, you must use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
@@ -54,7 +58,7 @@ In order to create and deploy provisioning packages, all of the following are re
### Install the Windows Imaging and Configuration Designer
1. The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718147).
- **Note** The ADK must be installed on a separate PC, not on the Surface Hub.
+ >**Note** The ADK must be installed on a separate PC, not on the Surface Hub.
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 6c08da3b77..869f0a540b 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -2,7 +2,11 @@
title: Save your BitLocker key (Surface Hub)
description: Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.
ms.assetid: E11E4AB6-B13E-4ACA-BCE1-4EDC9987E4F2
-keywords: ["Surface Hub", "BitLocker", "Bitlocker recovery keys"]
+keywords: Surface Hub, BitLocker, Bitlocker recovery keys
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub, security
author: TrudyHa
---
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 976bfd183c..1323fc0f77 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -2,7 +2,11 @@
title: Set up Microsoft Surface Hub
description: Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.
ms.assetid: 4D1722BC-704D-4471-BBBE-D0500B006221
-keywords: ["set up instructions", "Surface Hub", "setup worksheet", "first-run program"]
+keywords: set up instructions, Surface Hub, setup worksheet, first-run program
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index 4dd579c142..9f23b06daa 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -2,7 +2,11 @@
title: Setup worksheet (Surface Hub)
description: When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section.
ms.assetid: AC6F925B-BADE-48F5-8D53-8B6FFF6EE3EB
-keywords: ["Setup worksheet", "pre-setup", "first-time setup"]
+keywords: Setup worksheet, pre-setup, first-time setup
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md
index a965c14182..8a1a636282 100644
--- a/devices/surface-hub/surface-hub-administrators-guide.md
+++ b/devices/surface-hub/surface-hub-administrators-guide.md
@@ -2,7 +2,11 @@
title: Microsoft Surface Hub administrator's guide
description: This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
ms.assetid: e618aab7-3a94-4159-954e-d455ef7b8839
-keywords: ["Surface Hub", "installation", "administration", "administrator's guide"]
+keywords: Surface Hub, installation, administration, administrator's guide
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 1a55de269c..3e1e8126c3 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -2,7 +2,11 @@
title: Troubleshoot Microsoft Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
-keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
+keywords: Troubleshoot common problems, setup issues, Exchange ActiveSync errors
+ms.prod: w10
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -441,7 +445,7 @@ Possible fixes for issues with Surface Hub first-run program.
## Exchange ActiveSync errors
-This section liss status codes, mapping, user messages, and actions an admin can take to solve Exchange ActiveSync errors.
+This section lists status codes, mapping, user messages, and actions an admin can take to solve Exchange ActiveSync errors.
@@ -449,12 +453,10 @@ This section liss status codes, mapping, user messages, and actions an admin can
-
Status Code
-
Count of EventResult
Mapping
User-Friendly Message
Action admin should take
@@ -463,21 +465,18 @@ This section liss status codes, mapping, user messages, and actions an admin can
-2063532030
-
3849
E_HTTP_DENIED
The password must be updated.
Update the password.
-2147012867
-
1234
WININET_E_CANNOT_CONNECT
Can’t connect to the server right now. Wait a while and try again, or check the account settings.
Verify that the server name is correct and reachable. Verify that the device is connected to the network.
The account is configured with policies not compatible with Surface Hub
.
@@ -486,105 +485,90 @@ This section liss status codes, mapping, user messages, and actions an admin can
-2046817204
-
145
E_NEXUS_STATUS_MAXIMUMDEVICESREACHED
The account has too many device partnerships.
Delete one or more partnerships on the server.
-2046817270
-
93
E_NEXUS_STATUS_SERVERERROR_RETRYLATER
Can’t connect to the server right now.
Wait until the server comes back online. If the issue persists, re-provision the account.
-2063269885
-
28
E_CREDENTIALS_EXPIRED (Credentials have expired and need to be updated)
The password must be updated.
Update the password.
-2063269875
-
14
E_AIRSYNC_RESET_RETRY
Can’t connect to the server right now. Wait a while or check the account’s settings.
This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.
-2046817258
-
14
E_NEXUS_STATUS_USER_HASNOMAILBOX
The mailbox was migrated to a different server.
You should never see this error. If the issue persists, re-provision the account.
-2063532028
-
12
E_HTTP_FORBIDDEN
Can’t connect to the server right now. Wait a while and try again, or check the account’s settings.
Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.
-2063400920
-
12
E_ACTIVESYNC_PASSWORD_OR_GETCERT
The account’s password or client certificate are missing or invalid.
Update the password and/or deploy the client certificate.
-2046817238
-
12
E_NEXUS_STATUS_DEVICE_POLICYREFRESH
The account is configured with policies not compatible with Surface Hub.
Disable the PasswordEnabled policy for this account.
-2063269886
-
7
E_CREDENTIALS_UNAVAILABLE
The password must be updated.
Update the password.
-2147012894
-
6
WININET_E_TIMEOUT
The network doesn’t support the minimum idle timeout required to receive server notification, or the server is offline.
Verify that the server is running. Verify the NAT settings.
-2063589372
-
6
E_FAIL_ABORT
This error is used to interrupt the hanging sync, and will not be exposed to users. It will be shown in the telemetry if you force an interactive sync, delete the account, or update its settings.
Nothing.
-2063532009
-
5
E_HTTP_SERVICE_UNAVAIL
Can’t connect to the server right now. Wait a while or check the account’s settings.
Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.
-2046817267
-
4
E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE
Can’t connect to the server right now. Wait a while or check the account’s settings.
Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.
-2063400921
-
3
E_ACTIVESYNC_GETCERT
The Exchange server requires a certificate.
Import the appropriate EAS certificate on the Surface Hub.
-2046817237
-
2
E_NEXUS_STATUS_INVALID_POLICYKEY
The account is configured with policies not compatible with Surface Hub.
Disable the PasswordEnabled policy for this account.
@@ -592,14 +576,12 @@ This section liss status codes, mapping, user messages, and actions an admin can
-2063532027
-
1
E_HTTP_NOT_FOUND
The server name is invalid.
Verify the server name to make sure it is correct. If the issue persists, re-provision the account.
-2063532012
-
1
E_HTTP_SERVER_ERROR
Can’t connect to the server.
Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.
@@ -607,34 +589,29 @@ This section liss status codes, mapping, user messages, and actions an admin can
0x80072ee7
-
The server name or address could not be resolved.
Make sure the server name is entered correctly.
0x8007052f
-
While auto-discovering the Exchange server, a policy is applied that prevents the logged-in user from logging in to the server.
This is a timing issue. Re-verify the account's credentials. Try to re-provision when they're correct.
0x800c0019
-
Security certificate required to access this resource is invalid.
Install the correct ActiveSync certificate needed for the provided device account.
0x80072f0d
-
The certificate authority is invalid or is incorrect. Could not auto-discover the Exchange server because a certificate is missing.
Install the correct ActiveSync certificate needed for the provided device account.
0x80004005
-
E_FAIL
The domain provided couldn't be found. The Exchange server could not be auto-discovered and was not provided in the settings.
Make sure that the domain entered is the FQDN, and that there is an Exchange server entered in the Exchange server text box.
@@ -642,7 +619,6 @@ This section liss status codes, mapping, user messages, and actions an admin can
0x80072efd
-
Fail to connect to Exchange server as a result of a networking issue. It's possible the server was misspelled or it just couldn't be found.
Make sure that the Exchange server ID is entered correctly, and that the device is connected to the right network.
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
new file mode 100644
index 0000000000..258a618516
--- /dev/null
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -0,0 +1,26 @@
+---
+title: Use fully qualified doman name with Surface Hub
+description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
+ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
+keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
+author: TrudyHa
+---
+
+# When to use a fully qualified domain name with Surface Hub
+
+A fully qualified domain name (FQDN) is a domain name that explicitly states the location in the Domain Name System (DNS) hierarchy. All levels of a domain are specified. In the case of Skype for Business on the Surface Hub, there are a few scenarios where you need to use a FQDN.
+- **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.
+- **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
+- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. The Skype app needs to know the FQDN of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
+
+## Add FQDN to Surface Hub
+
+You use the Settings app on Surface Hub to add FQDN information. You can add multiple entries, if needed.
+
+**To add Skype for Business Server FQDN**
+1. On Surface Hub open the **Settings** app.
+2. Navigate to **System**, **Microsoft Surface Hub**.
+3. Under **Skype for Business**, click **Add FQDN**.
+4. Type the FQDN for the Skype for Business certificate. You can type multiple FQDNs separated by a comma. For example: lync.com, outlook.com, lync.glbdns.microsoft.com.
+
+ 
\ No newline at end of file
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 70f4344966..590099c5ec 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -2,7 +2,11 @@
title: Using a room control system (Surface Hub)
description: Room control systems can be used with your Microsoft Surface Hub.
ms.assetid: DC365002-6B35-45C5-A2B8-3E1EB0CB8B50
-keywords: ["room control system", "Surface Hub"]
+keywords: room control system, Surface Hub
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
author: TrudyHa
---
@@ -13,14 +17,9 @@ Room control systems can be used with your Microsoft Surface Hub.
Using a room control system with your Surface Hub involves connecting room control hardware to the Surface Hub, usually through the RJ11 serial port on the bottom of the Surface Hub.
-## Debugging
+## Terminal settings
-
-You can use the info in this section for debugging scenarios. You shouldn't need it for a typical installation.
-
-### Terminal settings
-
-To connect to a room control system control panel, you don't need to connect to the Surface Hub, or to configure any terminal settings. For debugging purposes, if you want to connect a PC or laptop to your Surface Hub and send commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY. These are the terminal settings you'll need:
+To connect to a room control system control panel, you don't need to configure any terminal settings on the Surface Hub. If you want to connect a PC or laptop to your Surface Hub and send serial commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY.
@@ -54,20 +53,24 @@ To connect to a room control system control panel, you don't need to connect to
Flow control
none
+
+
Line feed
+
every carriage return
+
-### Wiring diagram
+## Wiring diagram
-You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method.
+You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method. You can also use an RJ-11 4-conductor cable, but we do not recommend this method.
-You can also use an RJ-11 4-conductor cable, but we do not recommend this method. You'll need to convert pin numbers to make sure it's wired correctly. The following diagram shows how to convert the pin numbers.
+This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable.
-
+
-### Command sets
+## Command sets
Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur.
@@ -106,7 +109,7 @@ The following command modifiers are available. Commands terminate with a new lin
-### Power
+## Power
Surface Hub can be in one of these power states.
@@ -157,9 +160,72 @@ Surface Hub can be in one of these power states.
-
+In Replacement PC mode, the power states are only Ready and Off and only change the display. The management port can't be used to power on the replacement PC.
-### Brightness
+
+
+
+
+
+
+
+
+
State
+
Energy Star state
+
Description
+
+
+
+
+
0
+
S5
+
Off
+
+
+
5
+
50
+
Ready
+
+
+
+
+For a control device, anything other than 5 / Ready should be considered off. Each PowerOn command results in two state changes and reponses.
+
+
+
+
+
+
+
+
+
+
Command
+
State change
+
Response
+
+
+
+
+
PowerOn
+
Device turns on (display + PC).
PC service notifies SMC that the PC is ready.
+
Power=0
Power=5
+
+
+
+
PowerOff
+
Device transitions to ambient state (PC on, display dim).
+
Power=0
+
+
+
Power?
+
SMC reports the last-known power state.
+
Power=<#>
+
+
+
+
+
+## Brightness
The current brightness level is a range from 0 to 100.
@@ -191,18 +257,10 @@ Changes to brightness levels can be sent by a room control system, or other syst
PC service notifies SMC of new brightness level.
Brightness = 50
-
-
Brightness?
-
SMC sends a message over the control channel to request brightness.
-
PC service notifies SMC of new brightness level.
-
Brightness = 50
-
-
+
-
-
-### Volume
+## Volume
The current volume level is a range from 0 to 100.
@@ -234,47 +292,14 @@ Changes to volume levels can be sent by a room control system, or other system.
PC service notifies SMC of new volume level.
Volume = 50
-
-
Volume?
-
SMC sends a message over the control channel to request volume.
-
PC service notifies SMC of new volume level.
-
Volume = 50
-
-### Mute for audio and microphone
+## Mute for audio
-Audio and microphone can be muted.
-
-
-
-
-
-
-
-
-
State
-
Description
-
-
-
-
-
0
-
Source is not muted.
-
-
-
1
-
Source is muted.
-
-
-
-
-
-
-Changes to microphone or audio can be sent by a room control system, or other system.
+Audio can be muted.
@@ -294,32 +319,14 @@ Changes to microphone or audio can be sent by a room control system, or other sy
AudioMute+
SMC sends the audio mute command.
PC service notifies SMC that audio is muted.
-
AudioMute=<#>
-
-
-
MicMute+
-
SMC sends the microphone mute command.
-
PC service notifies SMC that microphone is muted.
-
MicMute=<#>
-
-
-
AudioMute?
-
SMC queries PC service for the current audio state.
-
PC service notifies SMC that audio is muted.
-
AudioMute=<#>
-
-
-
MicMute?
-
SMC queries PC service for the current microphone state.
-
PC service notifies SMC that the microphone is muted.
-
MicMute=<#>
+
none
-### Video source
+## Video source
Several display sources can be used.
@@ -351,10 +358,6 @@ Several display sources can be used.
3
VGA
-
-
4
-
Wireless
-
@@ -377,7 +380,7 @@ Changes to display source can be sent by a room control system, or other system.
-
Source=<#>
+
Source=#
SMC changes to the desired source.
PC service notifies SMC that the display source has switched.
Source=<#>
@@ -389,7 +392,7 @@ Changes to display source can be sent by a room control system, or other system.
Source=<#>
-
Source+
+
Source-
SMC cycles to the previous active input source.
PC service notifies SMC of the current input source.
Source=<#>
@@ -403,101 +406,7 @@ Changes to display source can be sent by a room control system, or other system.
-
-
-### Starting apps
-
-Surface Hub keyboard supports starting apps with special keys. Room control systems can invoke those keys through the management port. There is no expected response for these commands.
-
-
-
-
-
-
-
-
-
State
-
Description
-
-
-
-
-
0
-
Start large-screen experience (LSX)
-
-
-
1
-
Start LSX custom app 1
-
-
-
2
-
Start LSX custom app 2
-
-
-
3
-
Start LSX custom app 3
-
-
-
-
-
-
-Changes to display source can be sent by a room control system, or other system.
-
-
-
-
-
-
-
-
-
-
Command
-
State change
-
Response
-
-
-
-
-
AppKey=<#>
-
Send a command to
-
PC service notifies SMC that the display source has switched.
-
Source=<#>
-
-
-
-
-
-
-### I'm done
-
-People will be able to start the I'm done feature on a Surface Hub from a room control system. I'm done removes any work that was displayed on the Surface Hub before ending the meeting. No information or files are saved on Surface Hub.
-
-
-
-
-
-
-
-
-
-
Command
-
State change
-
Response
-
-
-
-
-
I'm done
-
Start I'm done activity on Surface Hub.
-
none
-
-
-
-
-
-
-### Errors
+## Errors
Errors are returned following the format in this table.
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index 467c9cf42c..c68b67eb32 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -2,7 +2,11 @@
title: Wireless network management (Surface Hub)
description: Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet wireless, and wired. While both provide network access, we recommend you use a wired connection.
ms.assetid: D2CFB90B-FBAA-4532-B658-9AA33CAEA31D
-keywords: ["network connectivity", "wired connection"]
+keywords: network connectivity, wired connection
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub, networking
author: TrudyHa
---
@@ -11,7 +15,7 @@ author: TrudyHa
Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection.
-## Modifying, adding or reviewing a network connection
+## Modifying, adding, or reviewing a network connection
If a wired network connection is not available, the Surface Hub can use a wireless network for internet access. A properly connected and configured Wi-Fi access point must be available and within range of the Surface Hub.
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index f7e3191aa7..77680e7199 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,5 +1,5 @@
# [Surface](index.md)
-## [Advanced UEFI security features for Surface](advanced-uefi-security-features-for-surface.md)
+## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
diff --git a/devices/surface/advanced-uefi-security-features-for-surface.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
similarity index 87%
rename from devices/surface/advanced-uefi-security-features-for-surface.md
rename to devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index ca850266d6..c90f8d9b3a 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -1,5 +1,5 @@
---
-title: Advanced UEFI security features for Surface (Surface)
+title: Advanced UEFI security features for Surface Pro 3 (Surface)
description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
keywords: security, features, configure, hardware, device, custom, script, update
@@ -10,7 +10,7 @@ ms.sitesec: library
author: miladCA
---
-# Advanced UEFI security features for Surface
+# Advanced UEFI security features for Surface Pro 3
This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
@@ -20,7 +20,9 @@ To address more granular control over the security of Surface devices, the v3.11
## Manually install the UEFI update
-Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030). Otherwise, you can download the UEFI update from the Microsoft Download Center; see [SurfacePro3\_ 150326.msi (105 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618033) or [SurfacePro3\_ 150326.zip (156 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618035).
+Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030).
+
+To update the UEFI on Surface Pro 3, you can download and install the Surface UEFI updates as part of the Surface Pro 3 Firmware and Driver Pack. These firmware and driver packs are available from the [Surface Pro 3 page](https://www.microsoft.com/en-us/download/details.aspx?id=38826) on the Microsoft Download Center. You can find out more about the firmware and driver packs at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). The firmware and driver packs are available as both self-contained Windows Installer (.msi) and archive (.zip) formats. You can find out more about these two formats and how you can use them to update your drivers at [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates).
## Manually configure additional security settings
diff --git a/devices/surface/index.md b/devices/surface/index.md
index d0bb077b72..447cdeea27 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -35,7 +35,7 @@ For more information on planning for, deploying, and managing Surface devices in
-
[Advanced UEFI security features for Surface](advanced-uefi-security-features-for-surface.md)
+
[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md
index 8e757fdaca..3bc069e706 100644
--- a/devices/surface/manage-surface-pro-3-firmware-updates.md
+++ b/devices/surface/manage-surface-pro-3-firmware-updates.md
@@ -34,7 +34,7 @@ For details about Group Policy for client configuration of WSUS or Windows Updat
**Windows Installer Package**
-The firmware and driver downloads for Surface devices now include MSI installation files for firmware and driver updates. These MSI packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the MSI package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the MSI package, see the [Surface Pro 3 MSI Now Available](http://go.microsoft.com/fwlink/p/?LinkId=618173) blog post.
+The firmware and driver downloads for Surface devices now include Windows Installer files for firmware and driver updates. These Windows Installer packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the Windows Installer package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the Windows Installer package, see the [Surface Pro 3 MSI Now Available](http://go.microsoft.com/fwlink/p/?LinkId=618173) blog post.
For instructions on how to deploy with System Center Configuration Manager, refer to [How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618175). For deployment of applications with MDT, see [Step 4: Add an application in the Deploy a Windows 8.1 Image Using MDT 2013](http://go.microsoft.com/fwlink/p/?LinkId=618176). Note that you can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence.
diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md
index 4fa7514559..bcea29785f 100644
--- a/devices/surface/surface-diagnostic-toolkit.md
+++ b/devices/surface/surface-diagnostic-toolkit.md
@@ -125,7 +125,9 @@ If a Surface Type Cover is not detected, the test prompts you to connect the Typ
>**Note:** This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard.
-This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. Move the cursor and use the Windows key to bring up the Start menu to confirm that the touchpad and keyboard are operating successfully. This test will display the status of cursor movement and keyboard input for you to verify. Press **ESC** to complete the test.
+This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. During the first stage of this test a diagram of the keyboard is displayed. When you press a key, the corresponding key will be marked on the diagram. The test will proceed when every key in the diagram is marked. In the second stage of this test, you are prompted to make several gestures on the keypad. As you perform each gesture (for example, a three finger tap), the gesture will be marked on the screen. When you have performed all gestures, the test will automatically complete.
+
+>**Note:** The F-keys on the diagram require that you press the Function (FN) key simultaneously to activate them. By default, these keys perform other actions. For the Home and End keys, you must press the same keys as F8 and F9, but without the Function (FN) key pressed.
#### Canvas mode battery test
diff --git a/education/index.md b/education/index.md
deleted file mode 100644
index 0bd9ced4cc..0000000000
--- a/education/index.md
+++ /dev/null
@@ -1 +0,0 @@
-#OP Testing file
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
new file mode 100644
index 0000000000..fa7c285458
--- /dev/null
+++ b/education/windows/TOC.md
@@ -0,0 +1,13 @@
+# [Windows 10 for education](index.md)
+## [Change history for Windows 10 for Education](change-history-edu.md)
+## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
+## [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+## [Get Minecraft Education Edition](get-minecraft-for-education.md)
+### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
+### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
+## [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
+### [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
+### [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
+### [Take a Test app technical reference (Preview)](take-a-test-app-technical.md)
+## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
+## [Chromebook migration guide](chromebook-migration-guide.md)
\ No newline at end of file
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
new file mode 100644
index 0000000000..bde12a2f2b
--- /dev/null
+++ b/education/windows/change-history-edu.md
@@ -0,0 +1,29 @@
+---
+title: Change history for Windows 10 for Education (Windows 10)
+description: New and changed topics in Windows 10 for Education
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Change history for Windows 10 for Education
+
+This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+
+## June 2016
+
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Get Minecraft Education Edition](get-minecraft-for-education.md) [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New |
+
+## May 2016
+
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New |
+| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New |
+| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New |
+| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 |
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 |
\ No newline at end of file
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
new file mode 100644
index 0000000000..428efd3e77
--- /dev/null
+++ b/education/windows/chromebook-migration-guide.md
@@ -0,0 +1,963 @@
+---
+title: Chromebook migration guide (Windows 10)
+description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
+ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
+keywords: migrate, automate, device
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu, devices
+author: craigash
+---
+
+# Chromebook migration guide
+
+
+**Applies to**
+
+- Windows 10
+
+In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.
+
+## Plan Chromebook migration
+
+
+Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process.
+
+In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration.
+
+## Plan for app migration or replacement
+
+
+App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts.
+
+**Identify the apps currently in use on Chromebook devices**
+
+Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
+
+**Note**
+The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
+
+
+
+You can divide the apps into the following categories:
+
+- **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio.
+
+- **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use).
+
+Record the following information about each app in your app portfolio:
+
+- App name
+
+- App type (such as offline app, online app, web app, and so on)
+
+- App publisher or developer
+
+- App version currently in use
+
+- App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low)
+
+Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps.
+
+###
+
+**Select Google Apps replacements**
+
+Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device.
+
+Table 1. Google App replacements
+
+| If you use this Google app on a Chromebook | Use this app on a Windows device |
+|--------------------------------------------|--------------------------------------|
+| Google Docs | Word 2016 or Word Online |
+| Google Sheets | Excel 2016 or Excel Online |
+| Google Slides | PowerPoint 2016 or PowerPoint Online |
+| Google Apps Gmail | Outlook 2016 or Outlook Web App |
+| Google Hangouts | Microsoft Skype for Business |
+| Chrome | Microsoft Edge |
+| Google Drive | Microsoft OneDrive for Business |
+
+
+
+It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide.
+
+**Find the same or similar apps in the Windows Store**
+
+In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section.
+
+In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS.
+
+Record the Windows app that replaces the Chromebook app in your app portfolio.
+
+###
+
+**Perform app compatibility testing for web apps**
+
+The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms.
+
+Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio.
+
+## Plan for migration of user and device settings
+
+
+Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console.
+
+However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom.
+
+In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution.
+
+At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide.
+
+**Identify Google Admin Console settings to migrate**
+
+You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices.
+
+
+
+Figure 1. Google Admin Console
+
+Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
+
+Table 2. Settings in the Device Management node in the Google Admin Console
+
+
+
+
+
+
+
+
+
Section
+
Settings
+
+
+
+
+
Network
+
These settings configure the network connections for Chromebook devices and include the following settings categories:
+
+
Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
+
Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
+
VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
+
Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
+
+
+
+
Mobile
+
These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
+
+
Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
+
Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
+
Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
+
Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
+
Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.
+
+
+
+
Chrome management
+
These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
+
+
User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
+
Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
+
Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
+
Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.
+
App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.
+
+
+
+
+
+
+
+Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
+
+Table 3. Settings in the Security node in the Google Admin Console
+
+
+
+
+
+
+
+
+
Section
+
Settings
+
+
+
+
+
Basic settings
+
These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
+
Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.
+
+
+
Password monitoring
+
This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.
+
+
+
API reference
+
This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.
+
+
+
Set up single sign-on (SSO)
+
This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.
+
+
+
Advanced settings
+
This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.
+
+
+
+
+
+
+**Identify locally-configured settings to migrate**
+
+In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
+
+
+
+Figure 2. Locally-configured settings on Chromebook
+
+Table 4. Locally-configured settings
+
+| Section | Settings |
+|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Internet connections | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings. |
+| Appearances | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the user’s wallpaper to maintain similar user experience. |
+| Search | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device. |
+| Advanced sync settings | These settings configure which user settings are synchronized with the Google cloud, such as Apps, Extensions, History, Passwords, Settings, and so on. Record these settings and configure the Windows device with the same settings if you decide to continue to use Google Apps and other cloud services after you migrate to Windows devices. |
+| Date and time | These settings configure the time zone and if 24-hour clock time should be used. Record these settings and configure the Windows device to use these settings. |
+| Privacy | These settings configure Google Chrome web browser privacy settings (such as prediction service, phishing and malware protection, spelling errors, resource pre-fetch, and so on). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. |
+| Bluetooth | This setting configures whether or not Bluetooth is enabled on the device. Record this setting and configure the Windows device similarly. |
+| Passwords and forms | These settings configure Google Chrome web browser to enable autofill of web forms and to save web passwords. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. |
+| Smart lock | These settings configure the Chromebook when the user’s Android phone is nearby and unlocked, which eliminates the need to type a password. You don’t need to migrate settings in this section. |
+| Web content | These settings configure how the Chrome web browser displays content (such as font size and page zoom). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. |
+| Languages | These settings configure the language in use for the Chromebook. Record these settings and configure the Windows device to support the same language. |
+| Downloads | These settings configure the default folder for file download, if the user should be prompted where to save files, and if the Google Drive account should be disconnected. Record these settings and configure the Windows device with similar settings. |
+| HTTPS/SSL | These settings configure client-side certificates that are used to authenticate the device. Depending on the services or apps that use these certificates, you may need to export and then migrate these certificates to the Windows device. Contact the service or app provider to determine if you can use the existing certificate or if a new certificate needs to be issued. Record these settings and migrate the certificate to the Windows device or enroll for a new certificate as required by the service or app. |
+| Google Cloud Print | These settings configure the printers that are available to the user. Record the list of printers available to the user and configure the Windows device to have the same printers available. Ensure that the user-friendly printer names in Windows are the same as for the Chromebook device. For example, if the Chromebook device has a printer named “Laser Printer in Registrar’s Office”, use that same name in Windows. |
+| On startup | These settings configure which web pages are opened when the Chrome web browser starts. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. |
+| Accessibility | These settings configure the Chromebook ease of use (such as display of large mouse cursor, use of high contrast mode, enablement of the screen magnifier, and so on). Record these settings and configure the Windows device with similar settings. |
+| Powerwash | This action removes all user accounts and resets the Chromebook device back to factory settings. You don’t have to migrate any settings in this section. |
+| Reset settings | This action retains all user accounts, but restores all settings back to their default values. You don’t have to migrate any settings in this section. |
+
+
+
+Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration.
+
+Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration.
+
+**Prioritize settings to migrate**
+
+After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low.
+
+Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate.
+
+## Plan for email migration
+
+
+Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration.
+
+Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252).
+
+**Identify the list of user mailboxes to migrate**
+
+In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff.
+
+Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate.
+
+Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](http://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process.
+
+**Identify companion devices that access Google Apps Gmail**
+
+In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes.
+
+After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox.
+
+In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690254).
+
+**Identify the optimal timing for the migration**
+
+Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend.
+
+Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016.
+
+## Plan for cloud storage migration
+
+
+Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process.
+
+In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan.
+
+**Identify cloud storage services currently in use**
+
+Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following:
+
+- Name of the cloud storage service
+
+- Cloud storage service vendor
+
+- Associated licensing costs or fees
+
+- Approximate storage currently in use per user
+
+Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section.
+
+**Optimize cloud storage services migration plan**
+
+Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements.
+
+Consider the following to help optimize your cloud storage services migration plan:
+
+- **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate.
+
+- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage.
+
+- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs.
+
+Record your optimization changes in your cloud storage services migration plan.
+
+## Plan for cloud services migration
+
+
+Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections.
+
+In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services.
+
+###
+
+**Identify cloud services currently in use**
+
+You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service:
+
+- Cloud service name
+
+- Cloud service provider
+
+- Number of users that use the cloud service
+
+**Select cloud services to migrate**
+
+One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features.
+
+Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services:
+
+- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive.
+
+- **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity.
+
+- **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services.
+
+- **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices).
+
+Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide.
+
+**Prioritize cloud services**
+
+After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low.
+
+Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority.
+
+Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate.
+
+###
+
+**Select cloud services migration strategy**
+
+When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time.
+
+Consider the following when you create your cloud services migration strategy:
+
+- **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses.
+
+- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks.
+
+- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use.
+
+- **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms.
+
+- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years.
+
+- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal.
+
+## Plan for Windows device deployment
+
+
+You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks.
+
+In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
+
+###
+
+**Select a Windows device deployment strategy**
+
+What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies.
+
+For each classroom that has Chromebook devices, select a combination of the following device deployment strategies:
+
+- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices.
+
+- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum.
+
+- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum.
+
+- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices.
+
+- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices.
+
+ If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration.
+
+Record the combination of Windows device deployment strategies that you selected.
+
+###
+
+**Plan for AD DS and Azure AD services**
+
+The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services.
+
+In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD.
+
+Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD.
+
+Table 5. Select on-premises AD DS, Azure AD, or hybrid
+
+
+
+
+
+
+
+
+
+
+
If you plan to...
+
On-premises AD DS
+
Azure AD
+
Hybrid
+
+
+
+
+
Use Office 365
+
+
X
+
X
+
+
+
Use Intune for management
+
+
X
+
X
+
+
+
Use System Center 2012 R2 Configuration Manager for management
+
X
+
+
X
+
+
+
Use Group Policy for management
+
X
+
+
X
+
+
+
Have devices that are domain-joined
+
X
+
+
X
+
+
+
Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined
+
+
X
+
X
+
+
+
+
+
+
+###
+
+**Plan device, user, and app management**
+
+You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle.
+
+Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
+
+Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
+
+Table 6. Device, user, and app management products and technologies
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Desired feature
+
Windows provisioning packages
+
Group Policy
+
Configuration Manager
+
Intune
+
MDT
+
Windows Software Update Services
+
+
+
+
+
Deploy operating system images
+
X
+
+
X
+
+
X
+
+
+
+
Deploy apps during operating system deployment
+
X
+
+
X
+
+
X
+
+
+
+
Deploy apps after operating system deployment
+
X
+
X
+
X
+
+
+
+
+
+
Deploy software updates during operating system deployment
+
+
+
X
+
+
X
+
+
+
+
Deploy software updates after operating system deployment
+
X
+
X
+
X
+
X
+
+
X
+
+
+
Support devices that are domain-joined
+
X
+
X
+
X
+
X
+
X
+
+
+
+
Support devices that are not domain-joined
+
X
+
+
+
X
+
X
+
+
+
+
Use on-premises resources
+
X
+
X
+
X
+
+
X
+
+
+
+
Use cloud-based services
+
+
+
+
X
+
+
+
+
+
+
+
+
+You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
+
+Record the device, user, and app management products and technologies that you selected.
+
+###
+
+**Plan network infrastructure remediation**
+
+In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices.
+
+Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary:
+
+- **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements.
+
+ However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other.
+
+- **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices.
+
+ If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices.
+
+- **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices.
+
+ If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices.
+
+- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices.
+
+ However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices.
+
+ For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources:
+
+ - [Chromebook vs. Windows Notebook Network Traffic Analysis](http://go.microsoft.com/fwlink/p/?LinkId=690255)
+
+ - [Hidden Cost of Chromebook Deployments](http://go.microsoft.com/fwlink/p/?LinkId=690256)
+
+ - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](http://go.microsoft.com/fwlink/p/?LinkId=690257)
+
+- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices.
+
+ If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices.
+
+At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide.
+
+## Perform Chromebook migration
+
+
+Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created.
+
+In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide.
+
+You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important.
+
+## Perform network infrastructure remediation
+
+
+The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform.
+
+It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each.
+
+Table 7. Network infrastructure products and technologies and deployment resources
+
+
[Deploying Domain Name System (DNS)](http://go.microsoft.com/fwlink/p/?LinkId=734022)
+
+
+
+
+
+
+
+If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
+
+## Perform AD DS and Azure AD services deployment or remediation
+
+
+It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
+
+In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
+
+Table 8. AD DS, Azure AD and deployment resources
+
+
[Azure Active Directory documentation](http://go.microsoft.com/fwlink/p/?LinkId=690258)
+
[Manage and support Azure Active Directory Premium](http://go.microsoft.com/fwlink/p/?LinkId=690259)
+
[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](http://go.microsoft.com/fwlink/p/?LinkId=690260)
+
+
+
+
+
+
+
+If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
+
+## Prepare device, user, and app management systems
+
+
+In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings.
+
+Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems.
+
+Table 9. Management systems and deployment resources
+
+
+
+
+
+
+
+
+
Management system
+
Resources
+
+
+
+
+
Windows provisioning packages
+
+
[Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918)
+
[Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)
+
[Step-By-Step: Building Windows 10 Provisioning Packages](http://go.microsoft.com/fwlink/p/?LinkId=690261)
+
+
+
+
Group Policy
+
+
[Core Network Companion Guide: Group Policy Deployment](http://go.microsoft.com/fwlink/p/?LinkId=733915)
+
[Deploying Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=734024)
+
+
+
+
Configuration Manager
+
+
[Site Administration for System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733914)
+
[Deploying Clients for System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733919)
+
+
+
+
Intune
+
+
[Set up and manage devices with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=690262)
+
[Smoother Management Of Office 365 Deployments with Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=690263)
+
[System Center 2012 R2 Configuration Manager & Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=690264)
+
+
+
+
MDT
+
+
[MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324)
+
[Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265)
+
+
+
+
+
+
+
+If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
+
+## Perform app migration or replacement
+
+
+In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer.
+
+In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
+
+Table 10. Management systems and app deployment resources
+
+
+
+
+
+
+
+
+
Management system
+
Resources
+
+
+
+
+
Group Policy
+
+
[Editing an AppLocker Policy](http://go.microsoft.com/fwlink/p/?LinkId=734025)
[Assigning and Publishing Software](http://go.microsoft.com/fwlink/p/?LinkId=734027)
+
+
+
+
Configuration Manager
+
+
[How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733917)
+
[Application Management in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733907)
+
+
+
+
Intune
+
+
[Deploy apps to mobile devices in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733913)
+
[Manage apps with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733910)
+
+
+
+
+
+
+
+If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
+
+## Perform migration of user and device settings
+
+
+In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device.
+
+Perform the user and device setting migration by using the following steps:
+
+1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune).
+
+2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings.
+
+3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings.
+
+4. Verify that all higher-priority user and device settings have been configured in your management system.
+
+If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section.
+
+## Perform email migration
+
+
+In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices.
+
+Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252).
+
+Alternatively, if you want to migrate to Office 365 from:
+
+- **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server:
+
+ - [Cutover Exchange Migration and Single Sign-On](http://go.microsoft.com/fwlink/p/?LinkId=690266)
+
+ - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690267)
+
+ - [Step-By-Step: Migrating from Exchange 2007 to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690268)
+
+- **Another on-premises or cloud-based email service.** Follow the guidance from that vendor.
+
+## Perform cloud storage migration
+
+
+In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices.
+
+Manually migrate the cloud storage migration by using the following steps:
+
+1. Install both Google Drive app and OneDrive for Business or OneDrive app on a device.
+
+2. Sign in as the user in the Google Drive app.
+
+3. Sign in as the user in the OneDrive for Business or OneDrive app.
+
+4. Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage.
+
+5. Optionally uninstall the Google Drive app.
+
+There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors.
+
+## Perform cloud services migration
+
+
+In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices.
+
+Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected.
+
+There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors.
+
+## Perform Windows device deployment
+
+
+In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices.
+
+For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices.
+
+In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources:
+
+- [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)
+
+- [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918)
+
+- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324)
+
+- [Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265)
+
+- [Operating System Deployment in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733916)
+
+In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment:
+
+- Enroll the device with your management system.
+
+- Ensure that Windows Defender is enabled and configured to receive updates.
+
+- Ensure that Windows Update is enabled and configured to receive updates.
+
+- Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016).
+
+After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices.
+
+## Related topics
+
+
+[Try it out: Windows 10 deployment (for education)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
+
+[Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)
+
+
+
+
+
+
+
+
+
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
new file mode 100644
index 0000000000..53a866f3b8
--- /dev/null
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -0,0 +1,1264 @@
+---
+title: Deploy Windows 10 in a school (Windows 10)
+description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
+keywords: configure, tools, device, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: edu
+ms.sitesec: library
+author: craigash
+---
+
+# Deploy Windows 10 in a school
+
+
+**Applies to**
+
+- Windows 10
+
+This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+
+## Prepare for school deployment
+
+Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school.
+
+### Plan a typical school configuration
+
+As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
+
+
+
+*Figure 1. Typical school configuration for this guide*
+
+Figure 2 shows the classroom configuration this guide uses.
+
+
+
+*Figure 2. Typical classroom configuration in a school*
+
+This school configuration has the following characteristics:
+- It contains one or more admin devices.
+- It contains two or more classrooms.
+- Each classroom contains one teacher device.
+- The classrooms connect to each other through multiple subnets.
+- All devices in each classroom connect to a single subnet.
+- All devices have high-speed, persistent connections to each other and to the Internet.
+- All teachers and students have access to Windows Store or Windows Store for Business.
+- All devices receive software updates from Intune (or another device management system).
+- You install a 64-bit version of Windows 10 on the admin device.
+- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
+
+ **Note** In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+- The devices use Azure AD in Office 365 Education for identity management.
+- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/).
+- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices.
+- Each device supports a one-student-per-device or multiple-students-per-device scenario.
+- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
+- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot).
+- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education.
+
+Office 365 Education allows:
+
+- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser.
+- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students.
+- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty.
+- Teachers to employ Sway to create interactive educational digital storytelling.
+- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user.
+- Faculty to use advanced email features like email archiving and legal hold capabilities.
+- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management.
+- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
+- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype.
+- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
+- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
+- Students and faculty to use Office 365 Video to manage videos.
+- Students and faculty to use Yammer to collaborate through private social networking.
+- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
+
+For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic).
+
+## How to configure a school
+
+Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
+
+The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
+
+You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+
+MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices.
+
+LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
+
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+
+The configuration process requires the following devices:
+
+- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device.
+- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
+- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
+
+The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3:
+
+1. Prepare the admin device for use, which includes installing the Windows ADK and MDT.
+2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school.
+3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
+4. On the admin device, create and configure a Windows Store for Business portal.
+5. On the admin device, prepare for management of the Windows 10 devices after deployment.
+6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
+7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
+
+
+
+*Figure 3. How school configuration works*
+
+Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide.
+
+### Summary
+
+In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school.
+
+## Prepare the admin device
+
+Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share.
+
+### Install the Windows ADK
+
+The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management.
+
+When you install the Windows ADK on the admin device, select the following features:
+
+- Deployment tools
+- Windows Preinstallation Environment (Windows PE)
+- User State Migration Tool (USMT)
+
+For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK).
+
+### Install MDT
+
+Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft.
+
+You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems.
+
+**Note** If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
+
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+
+Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
+
+### Create a deployment share
+
+MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media).
+
+For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare).
+
+### Summary
+
+In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process.
+
+## Create and configure Office 365
+
+Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
+
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+
+### Select the appropriate Office 365 Education license plan
+
+Complete the following steps to select the appropriate Office 365 Education license plan for your school:
+
+
+
Determine the number of faculty members and students who will use the classroom. Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
+
+
Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
+
+*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans*
+
+
+
+
+
+
+
+
+
+
Plan
+
Advantages
+
Disadvantages
+
+
+
+
Standard
Less expensive than Office 365 ProPlus
Can be run from any device
No installation necessary
Must have an Internet connection to use it
Does not support all the features found in Office 365 ProPlus
+
Office ProPlus
Only requires an Internet connection every 30 days (for activation)
Supports full set of Office features
Requires installation
Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
+
+
+
+
+The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+
+
Determine whether students or faculty need Azure Rights Management. You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
+
Record the Office 365 Education license plans needed for the classroom in Table 2.
+
+*Table 2. Office 365 Education license plans needed for the classroom*
+
+
+
+
+
+
+
+
+
Quantity
+
Plan
+
+
+
+
Office 365 Education for students
+
Office 365 Education for faculty
+
Azure Rights Management for students
+
Azure Rights Management for faculty
+
+
+
+You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
+
+### Create a new Office 365 Education subscription
+
+To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions.
+
+**Note** If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains).
+
+#### To create a new Office 365 subscription
+
+1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
+
+ **Note** If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
+ - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**.
+ - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**.
+
+2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account.
+3. Click the hyperlink in the email in your school email account.
+4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription.
+
+### Add domains and subdomains
+
+Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
+
+#### To add additional domains and subdomains
+
+1. In the Office 365 admin center, in the list view, click **DOMAINS**.
+2. In the details pane, above the list of domains, on the menu bar, click **Add domain**.
+3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**.
+4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**.
+5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider.
+6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution.
+
+### Configure automatic tenant join
+
+To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
+
+**Note** By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
+
+Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
+
+- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant.
+- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
+
+You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365.
+
+**Note** You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+
+All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join*
+
+
+| Action | Windows PowerShell command |
+|------- |----------------------------|
+| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`|
+| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`|
+
+**Note** If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+
+### Disable automatic licensing
+
+To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
+
+**Note** By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
+
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+*Table 4. Windows PowerShell commands to enable or disable automatic licensing*
+
+| Action | Windows PowerShell command|
+| -------| --------------------------|
+| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`|
+|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`|
+
+### Enable Azure AD Premium
+
+When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
+
+Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access).
+
+The Azure AD Premium features that are not in Azure AD Basic include:
+
+- Allow designated users to manage group membership
+- Dynamic group membership based on user metadata
+- Multifactor authentication (MFA)
+- Identify cloud apps that your users run
+- Automatic enrollment in a mobile device management (MDM) system (such as Intune)
+- Self-service recovery of BitLocker
+- Add local administrator accounts to Windows 10 devices
+- Azure AD Connect health monitoring
+- Extended reporting capabilities
+
+You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+
+You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process.
+
+For more information about:
+
+- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3).
+
+### Summary
+You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
+
+## Select an Office 365 user account–creation method
+
+
+Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts:
+
+- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain.
+- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+
+### Method 1: Automatic synchronization between AD DS and Azure AD
+
+In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+
+**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396).
+
+
+
+*Figure 4. Automatic synchronization between AD DS and Azure AD*
+
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide.
+
+### Method 2: Bulk import into Azure AD from a .csv file
+
+In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+
+
+
+*Figure 5. Bulk import into Azure AD from other sources*
+
+To implement this method, perform the following steps:
+
+1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires.
+2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section.
+
+### Summary
+
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+
+## Integrate on-premises AD DS with Azure AD
+
+You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+
+**Note** If your institution does not have an on-premises AD DS domain, you can skip this section.
+
+### Select synchronization model
+
+Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect.
+
+You can deploy the Azure AD Connect tool by using one of the following methods:
+
+- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+
+ 
+
+ *Figure 6. Azure AD Connect on premises*
+
+- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+
+ 
+
+ *Figure 7. Azure AD Connect in Azure*
+
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx).
+
+### Deploy Azure AD Connect on premises
+
+In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+
+#### To deploy AD DS and Azure AD synchronization
+
+1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/).
+2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account.
+3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect).
+4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features).
+
+Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+
+### Verify synchronization
+
+Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+
+#### To verify AD DS and Azure AD synchronization
+
+1. Open https://portal.office.com in your web browser.
+2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365.
+3. In the list view, expand **USERS**, and then click **Active Users**.
+4. In the details pane, view the list of users. The list of users should mirror the users in AD DS.
+5. In the list view, click **GROUPS**.
+6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS.
+7. In the details pane, double-click one of the security groups.
+8. The list of security group members should mirror the group membership for the corresponding security group in AD DS.
+9. Close the browser.
+
+Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+
+### Summary
+
+In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+
+## Bulk-import user and group accounts into AD DS
+
+You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS.
+
+**Note** If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
+
+### Select the bulk import method
+
+Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS.
+
+*Table 5. AD DS bulk-import account methods*
+
+|Method | Description and reason to select this method |
+|-------| ---------------------------------------------|
+|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).|
+|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+### Create a source file that contains the user and group accounts
+
+After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods.
+
+*Table 6. Source file format for each bulk import method*
+
+| Method | Source file format |
+|--------| -------------------|
+|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).|
+| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+### Import the user accounts into AD DS
+
+With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
+
+**Note** Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
+
+For more information about how to import user accounts into AD DS by using:
+
+- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
+- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).
+- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
+
+### Summary
+
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+
+## Bulk-import user accounts into Office 365
+
+You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires.
+
+### Create user accounts in Office 365
+
+Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
+
+You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
+
+The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
+
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+
+**Note** If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
+
+The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365.
+
+### Create Office 365 security groups
+
+Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
+
+**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+
+For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+
+You can add and remove users from security groups at any time.
+
+**Note** Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect.
+
+### Create email distribution groups
+
+Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student.
+
+You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
+
+**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
+
+For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+
+### Summary
+
+Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+
+## Assign user licenses for Azure AD Premium
+
+Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost.
+
+You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+
+For more information about:
+
+- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+
+## Create and configure a Windows Store for Business portal
+
+Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following:
+
+- Find and acquire Windows Store apps.
+- Manage apps, app licenses, and updates.
+- Distribute apps to your users.
+
+For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+
+The following section shows you how to create a Windows Store for Business portal and configure it for your school.
+
+### Create and configure your Windows Store for Business portal
+
+To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+
+#### To create and configure a Windows Store for Business portal
+
+1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar.
+2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.
**Note** If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
+4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
+5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**.
+
+After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
+
+*Table 7. Menu selections to configure Windows Store for Business settings*
+
+| Menu selection | What you can do in this menu |
+|---------------| -------------------|
+|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
+|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
+|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
+|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
+|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
+|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
+|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+
+### Find, acquire, and distribute apps in the portal
+
+Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.
+
+**Note** Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
+
+You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
+
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
+
+### Summary
+
+At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users.
+
+## Plan for deployment
+
+You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process.
+
+### Select the operating systems
+
+Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of:
+
+- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10.
+- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
+
+Depending on your school’s requirements, you may need any combination of the following Windows 10 editions:
+
+- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home.
+- **Windows 10 Pro**. Use this operating system to:
+ - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro.
+ - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration.
+- **Windows 10 Education**. Use this operating system to:
+ - Upgrade institution-owned devices to Windows 10 Education.
+ - Deploy new instances of Windows 10 Education so that new devices have a known configuration.
+
+**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home.
+
+One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
+
+**Note** On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
+
+Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
+
+### Select an image approach
+
+A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed.
+
+The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment.
+
+The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image.
+
+### Select a method to initiate deployment
+
+The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution.
+
+*Table 8. Methods to initiate MDT deployment*
+
+
+
+
+
+
+
+
+
Method
+
Description and reason to select this method
+
+
+
+
+
+
Windows Deployment Services
+
This method:
+
+
Uses diskless booting to initiate MDT deployment.
+
Works only with devices that support PXE boot.
+
Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
+
Deploys images more slowly than when using local media.
+
Requires that you deploy a Windows Deployment Services server.
+
+
+Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
+
+
+
+
Bootable media
+
This method:
+
+
Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
+
Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
+
Deploys images more slowly than when using local media.
+
Requires no additional infrastructure.
+
+
+Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
+
+
+
+
MDT deployment media
+
This method:
+
+
Initiates MDT deployment by booting from a local USB hard disk.
+
Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
+
Deploys images more quickly than network-based methods do.
+
Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
+
+
+Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk.
+
+
+
+
+### Summary
+
+At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment.
+
+## Prepare for deployment
+
+To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment.
+
+### Configure the MDT deployment share
+
+The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9.
+
+*Table 9. Tasks to configure the MDT deployment share*
+
+
+
+
+
+
+
+
+
Task
+
Description
+
+
+
+
+
1. Import operating systems
+
Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
+
+
+
+
2. Import device drives
+
Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
+
+Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+
+
+
+
+
+
3. Create MDT applications for Windows Store apps
+
Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.
+
+Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.
+
+If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.
+
+In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:
+
+
Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).
+
Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+
+
+
+
+
+
+
+
4. Create MDT applications for Windows desktop apps
+
+
You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
+
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).
+
+If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
+
+**Note** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+
+
+
+
+
+
5. Create task sequences.
+
+
You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will:
+
+
Deploy Windows 10 Education 64-bit to devices.
+
Deploy Windows 10 Education 32-bit to devices.
+
Upgrade existing devices to Windows 10 Education 64-bit.
+
Upgrade existing devices to Windows 10 Education 32-bit.
+
+
+Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+
+
+
+
+
+
6. Update the deployment share.
+
+
Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
+
+For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
+
+
+
+
+### Configure Window Deployment Services for MDT
+
+You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers.
+
+#### To configure Windows Deployment Services for MDT
+
+1. Set up and configure Windows Deployment Services.
Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources:
+
+ - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
+ - The Windows Deployment Services Help file, included in Windows Deployment Services
+ - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx)
+
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+
+### Summary
+
+Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution.
+
+## Prepare for device management
+
+Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
+
+### Select the management method
+
+If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases.
+
+For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution.
+
+*Table 10. School management methods*
+
+
+
+
+
+
+
+
+
Method
+
Description
+
+
+
+
+
+
Group Policy
+
+Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:
+
+
Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
+
Want more granular control of device and user settings.
+
Have an existing AD DS infrastructure.
+
Typically manage on-premises devices.
+
Can manage a required setting only by using Group Policy.
+
+
+The advantages of this method include:
+
+
No cost beyond the AD DS infrastructure.
+
A larger number of settings (compared to Intune).
+
+The disadvantages of this method are:
+
+
Can only manage domain-joined (institution-owned devices).
+
Requires an AD DS infrastructure (if the institution does not have AD DS already).
+
Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
+
+
+
+
+
+
Intune
+
Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
+Select this method when you:
+
+
Want to manage institution-owned and personal devices (does not require that the device be domain joined).
+
Don’t require the level of granular control over device and user settings (compared to Group Policy).
+
Don’t have an existing AD DS infrastructure.
+
Need to manage devices regardless of where they are (on or off premises).
+
Can manage a required setting only by using Intune.
+
+
+The advantages of this method are:
+
+
You can manage institution-owned and personal devices.
+
It doesn’t require that devices be domain joined.
+
It doesn’t require any on-premises infrastructure.
+
It can manage devices regardless of their location (on or off premises).
+
+
+The disadvantages of this method are:
+
+
Carries an additional cost for subscription.
+
Doesn’t have a granular level control over device and user settings (compared to Group Policy).
+
+
+
+
+
+
+
+
+### Select Microsoft-recommended settings
+
+Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
+
+*Table 11. Recommended settings for educational institutions*
+
+
+
+
+
+
+
+
+
Recommendation
+
Description
+
+
+
+
+
+
+
Use of Microsoft accounts
+
You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
+**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.
+**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
+
+
+
+
+
Restrict local administrator accounts on the devices
+
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Intune**. Not available.
+
+
+
+
+
Restrict the local administrator accounts on the devices
+
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Intune**. Not available.
+
+
+
+
+
Manage the built-in administrator account created during device deployment
+
When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.
+**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).
+**Intune**. Not available.
+
+
+
+
+
Control Windows Store access
+
You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.
+**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
+**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy.
+
+
+
+
+
Use of Remote Desktop connections to devices
+
Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
+**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
+**Intune**. Not available.
+
+
+
+
+
Use of camera
+
A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
+**Group Policy**. Not available.
+**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+
+
+
+
+
Use of audio recording
+
Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
+**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).
+**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
+
+
+
+
+
Use of screen capture
+
Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
+**Group Policy**. Not available.
+**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy.
+
+
+
+
+
Use of location services
+
Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
+**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.
+**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+
+
+
+
+
Changing wallpaper
+
Displaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.
+**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.
+**Intune**. Not available.
+
+
+
+
+
+
+### Configure settings by using Group Policy
+
+Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx).
+
+#### To configure Group Policy settings
+
+1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx).
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx).
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx).
+
+### Configure settings by using Intune
+
+Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
+
+#### To configure Intune settings
+
+1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
+2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx).
+3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx).
+4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx).
+
+### Deploy apps by using Intune
+
+You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution.
+
+For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
+
+### Summary
+
+In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively.
+
+## Deploy Windows 10 to devices
+
+You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10.
+
+### Prepare for deployment
+
+Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure.
+
+*Table 12. Deployment preparation checklist*
+
+|Task | |
+| ---| --- |
+| |The target devices have sufficient system resources to run Windows 10. |
+| | Identify the necessary devices drivers, and import them to the MDT deployment share.|
+| | Create an MDT application for each Windows Store and Windows desktop app.|
+| | Notify the students and faculty about the deployment.|
+
+### Perform the deployment
+
+Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
+
+**Note** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx).
+
+In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
+
+#### To deploy Windows 10
+
+1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
+2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
+
+### Set up printers
+
+After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+
+**Note** If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+
+#### To set up printers
+
+1. Review the printer manufacturer’s instructions for installing the printer drivers.
+2. On the admin device, download the printer drivers.
+3. Copy the printer drivers to a USB drive.
+4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device.
+5. Insert the USB drive in the device.
+6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive.
+7. Verify that the printer drivers were installed correctly by printing a test page.
+8. Complete steps 1–8 for each printer.
+
+### Verify deployment
+
+As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following:
+
+- The device can connect to the Internet and view the appropriate web content in Microsoft Edge.
+- Windows Update is active and current with software updates.
+- Windows Defender is active and current with malware signatures.
+- The SmartScreen Filter is active.
+- All Windows Store apps are properly installed and updated.
+- All Windows desktop apps are properly installed and updated.
+- Printers are properly configured.
+
+When you have verified that the first device is properly configured, you can move to the next device and perform the same steps.
+
+### Summary
+
+You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use.
+
+## Maintain Windows devices and Office 365
+
+After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule:
+
+- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware.
+- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students.
+- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
+
+Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
+
+*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
+
+
+
+
+
+
+
+
+
+
+
Task and resources
+
Monthly
+
New semester or academic year
+
As required
+
+
+
+
+
+
+
Verify that Windows Update is active and current with operating system and software updates.
+For more information about completing this task when you have:
+
+
Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
+
Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
+
Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
+
Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
+
+
+
X
+
X
+
X
+
+
+
+
Verify that Windows Defender is active and current with malware signatures.
+For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03).
+
X
+
X
+
X
+
+
+
+
Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
+For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus)
+
+
X
+
X
+
X
+
+
+
+
Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
+For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).
+
+
X
+
X
+
+
+
+
Refresh the operating system and apps on devices.
+For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+
+
+
+
X
+
X
+
+
+
+
Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.
+For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+
+
+
X
+
X
+
+
+
+
Install new or update existing Windows Store apps that are used in the curriculum.
+Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.
+You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+
+
+
X
+
X
+
+
+
+
Remove unnecessary user accounts (and corresponding licenses) from Office 365.
+For more information about how to:
+
+
Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
+
Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
+
+
+
+
+
X
+
X
+
+
+
+
Add new accounts (and corresponding licenses) to Office 365.
+For more information about how to:
+
+
Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
+
Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
+
+
+
+
X
+
X
+
+
+
+
Create or modify security groups and manage group membership in Office 365.
+For more information about how to:
+
+
Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
+
Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
+
+
+
+
+
X
+
X
+
+
+
+
Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange).
+
+
+
+
X
+
X
+
+
+
+
Install new student devices
+Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+
+
+
+
+
X
+
+
+
+
+
+### Summary
+
+Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified.
+
+##Related resources
+
+
[Try it out: Windows 10 deployment (for educational institutions)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
+
[Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)
+
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
new file mode 100644
index 0000000000..2fedf96bda
--- /dev/null
+++ b/education/windows/get-minecraft-for-education.md
@@ -0,0 +1,42 @@
+---
+title: Get Minecraft Education Edition
+description: Learn how to get and distribute Minecraft Education Edition.
+keywords: school
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Get Minecraft Education Edition
+
+**Applies to:**
+
+- Windows 10
+
+
+[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft.
+
+
+
+Teachers and IT administrators can now get early access to **Minecraft Education Edition** and add it their Microsoft Store for Business for distribution.
+
+
+
+## Prerequisites
+
+- **Minecraft Education Edition** requires Windows 10.
+- Early access to **Minecraft Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
+ - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft Education Edition**.
+ * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan)
+ * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
+
+
+
+[Learn how teachers can get and distribute **Minecraft Education Edition**](teacher-get-minecraft.md)
+
+
+
+
+[Learn how IT administrators can get and distribute **Minecraft Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
+
diff --git a/education/windows/images/TakeATestURL.png b/education/windows/images/TakeATestURL.png
new file mode 100644
index 0000000000..b057763e8b
Binary files /dev/null and b/education/windows/images/TakeATestURL.png differ
diff --git a/education/windows/images/app-distribution-options.PNG b/education/windows/images/app-distribution-options.PNG
new file mode 100644
index 0000000000..75b3374720
Binary files /dev/null and b/education/windows/images/app-distribution-options.PNG differ
diff --git a/education/windows/images/app1.jpg b/education/windows/images/app1.jpg
new file mode 100644
index 0000000000..aef6c5c22e
Binary files /dev/null and b/education/windows/images/app1.jpg differ
diff --git a/education/windows/images/choose-package.png b/education/windows/images/choose-package.png
new file mode 100644
index 0000000000..868407df56
Binary files /dev/null and b/education/windows/images/choose-package.png differ
diff --git a/education/windows/images/chromebook-fig1-googleadmin.png b/education/windows/images/chromebook-fig1-googleadmin.png
new file mode 100644
index 0000000000..b3d42e5ff2
Binary files /dev/null and b/education/windows/images/chromebook-fig1-googleadmin.png differ
diff --git a/education/windows/images/connect-aad.png b/education/windows/images/connect-aad.png
new file mode 100644
index 0000000000..8583866165
Binary files /dev/null and b/education/windows/images/connect-aad.png differ
diff --git a/education/windows/images/deploy-win-10-school-figure1.png b/education/windows/images/deploy-win-10-school-figure1.png
new file mode 100644
index 0000000000..66113dcce1
Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure1.png differ
diff --git a/education/windows/images/deploy-win-10-school-figure2.png b/education/windows/images/deploy-win-10-school-figure2.png
new file mode 100644
index 0000000000..0227f8dbaa
Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure2.png differ
diff --git a/education/windows/images/deploy-win-10-school-figure3.png b/education/windows/images/deploy-win-10-school-figure3.png
new file mode 100644
index 0000000000..1b39b5cc14
Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure3.png differ
diff --git a/education/windows/images/deploy-win-10-school-figure4.png b/education/windows/images/deploy-win-10-school-figure4.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure4.png differ
diff --git a/education/windows/images/deploy-win-10-school-figure5.png b/education/windows/images/deploy-win-10-school-figure5.png
new file mode 100644
index 0000000000..550386f1ce
Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure5.png differ
diff --git a/education/windows/images/deploy-win-10-school-figure6.png b/education/windows/images/deploy-win-10-school-figure6.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure6.png differ
diff --git a/education/windows/images/deploy-win-10-school-figure7.png b/education/windows/images/deploy-win-10-school-figure7.png
new file mode 100644
index 0000000000..8e7581007a
Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure7.png differ
diff --git a/education/windows/images/enter-email.PNG b/education/windows/images/enter-email.PNG
new file mode 100644
index 0000000000..644d893f06
Binary files /dev/null and b/education/windows/images/enter-email.PNG differ
diff --git a/education/windows/images/express-settings.png b/education/windows/images/express-settings.png
new file mode 100644
index 0000000000..99e9c4825a
Binary files /dev/null and b/education/windows/images/express-settings.png differ
diff --git a/education/windows/images/fig2-locallyconfig.png b/education/windows/images/fig2-locallyconfig.png
new file mode 100644
index 0000000000..d2fe9820da
Binary files /dev/null and b/education/windows/images/fig2-locallyconfig.png differ
diff --git a/education/windows/images/get-app-store.png b/education/windows/images/get-app-store.png
new file mode 100644
index 0000000000..14ae888425
Binary files /dev/null and b/education/windows/images/get-app-store.png differ
diff --git a/education/windows/images/get-the-app.PNG b/education/windows/images/get-the-app.PNG
new file mode 100644
index 0000000000..0692ae6f7f
Binary files /dev/null and b/education/windows/images/get-the-app.PNG differ
diff --git a/education/windows/images/it-get-app.PNG b/education/windows/images/it-get-app.PNG
new file mode 100644
index 0000000000..9740081ef4
Binary files /dev/null and b/education/windows/images/it-get-app.PNG differ
diff --git a/education/windows/images/license-terms.png b/education/windows/images/license-terms.png
new file mode 100644
index 0000000000..8dd34b0a18
Binary files /dev/null and b/education/windows/images/license-terms.png differ
diff --git a/education/windows/images/mc-assign-to-others-admin.png b/education/windows/images/mc-assign-to-others-admin.png
new file mode 100644
index 0000000000..907f21d514
Binary files /dev/null and b/education/windows/images/mc-assign-to-others-admin.png differ
diff --git a/education/windows/images/mc-assign-to-others-teacher.png b/education/windows/images/mc-assign-to-others-teacher.png
new file mode 100644
index 0000000000..2656e9c784
Binary files /dev/null and b/education/windows/images/mc-assign-to-others-teacher.png differ
diff --git a/education/windows/images/mc-check-for-updates.png b/education/windows/images/mc-check-for-updates.png
new file mode 100644
index 0000000000..a9a0fbae5f
Binary files /dev/null and b/education/windows/images/mc-check-for-updates.png differ
diff --git a/education/windows/images/mc-dnld-others-admin.png b/education/windows/images/mc-dnld-others-admin.png
new file mode 100644
index 0000000000..5e253c20d1
Binary files /dev/null and b/education/windows/images/mc-dnld-others-admin.png differ
diff --git a/education/windows/images/mc-dnld-others-teacher.png b/education/windows/images/mc-dnld-others-teacher.png
new file mode 100644
index 0000000000..24fa7ae20d
Binary files /dev/null and b/education/windows/images/mc-dnld-others-teacher.png differ
diff --git a/education/windows/images/mc-install-for-me-admin.png b/education/windows/images/mc-install-for-me-admin.png
new file mode 100644
index 0000000000..f9194a6188
Binary files /dev/null and b/education/windows/images/mc-install-for-me-admin.png differ
diff --git a/education/windows/images/mc-install-for-me-teacher.png b/education/windows/images/mc-install-for-me-teacher.png
new file mode 100644
index 0000000000..7bc90ad129
Binary files /dev/null and b/education/windows/images/mc-install-for-me-teacher.png differ
diff --git a/education/windows/images/minecraft-admin-permissions.png b/education/windows/images/minecraft-admin-permissions.png
new file mode 100644
index 0000000000..3051c3dd84
Binary files /dev/null and b/education/windows/images/minecraft-admin-permissions.png differ
diff --git a/education/windows/images/minecraft-assign-roles-2.png b/education/windows/images/minecraft-assign-roles-2.png
new file mode 100644
index 0000000000..3ab1d6e072
Binary files /dev/null and b/education/windows/images/minecraft-assign-roles-2.png differ
diff --git a/education/windows/images/minecraft-assign-roles.png b/education/windows/images/minecraft-assign-roles.png
new file mode 100644
index 0000000000..5dc396155c
Binary files /dev/null and b/education/windows/images/minecraft-assign-roles.png differ
diff --git a/education/windows/images/minecraft-assign-to-others.png b/education/windows/images/minecraft-assign-to-others.png
new file mode 100644
index 0000000000..4e8fba6126
Binary files /dev/null and b/education/windows/images/minecraft-assign-to-others.png differ
diff --git a/education/windows/images/minecraft-assign-to-people-name.png b/education/windows/images/minecraft-assign-to-people-name.png
new file mode 100644
index 0000000000..e39891698b
Binary files /dev/null and b/education/windows/images/minecraft-assign-to-people-name.png differ
diff --git a/education/windows/images/minecraft-assign-to-people.png b/education/windows/images/minecraft-assign-to-people.png
new file mode 100644
index 0000000000..0f0e3dcdff
Binary files /dev/null and b/education/windows/images/minecraft-assign-to-people.png differ
diff --git a/education/windows/images/minecraft-get-the-app.png b/education/windows/images/minecraft-get-the-app.png
new file mode 100644
index 0000000000..f30ab8ac68
Binary files /dev/null and b/education/windows/images/minecraft-get-the-app.png differ
diff --git a/education/windows/images/minecraft-in-windows-store-app.png b/education/windows/images/minecraft-in-windows-store-app.png
new file mode 100644
index 0000000000..e25f2b4df3
Binary files /dev/null and b/education/windows/images/minecraft-in-windows-store-app.png differ
diff --git a/education/windows/images/minecraft-my-library.png b/education/windows/images/minecraft-my-library.png
new file mode 100644
index 0000000000..1be1660adb
Binary files /dev/null and b/education/windows/images/minecraft-my-library.png differ
diff --git a/education/windows/images/minecraft-perms.PNG b/education/windows/images/minecraft-perms.PNG
new file mode 100644
index 0000000000..1788d6b593
Binary files /dev/null and b/education/windows/images/minecraft-perms.PNG differ
diff --git a/education/windows/images/minecraft-private-store.png b/education/windows/images/minecraft-private-store.png
new file mode 100644
index 0000000000..0194d4b955
Binary files /dev/null and b/education/windows/images/minecraft-private-store.png differ
diff --git a/education/windows/images/minecraft-student-install-email.png b/education/windows/images/minecraft-student-install-email.png
new file mode 100644
index 0000000000..aa562a0f01
Binary files /dev/null and b/education/windows/images/minecraft-student-install-email.png differ
diff --git a/education/windows/images/minecraft.PNG b/education/windows/images/minecraft.PNG
new file mode 100644
index 0000000000..c758c28ad5
Binary files /dev/null and b/education/windows/images/minecraft.PNG differ
diff --git a/education/windows/images/oobe.jpg b/education/windows/images/oobe.jpg
new file mode 100644
index 0000000000..53a5dab6bf
Binary files /dev/null and b/education/windows/images/oobe.jpg differ
diff --git a/education/windows/images/package.png b/education/windows/images/package.png
new file mode 100644
index 0000000000..f5e975e3e9
Binary files /dev/null and b/education/windows/images/package.png differ
diff --git a/education/windows/images/prov.jpg b/education/windows/images/prov.jpg
new file mode 100644
index 0000000000..1593ccb36b
Binary files /dev/null and b/education/windows/images/prov.jpg differ
diff --git a/education/windows/images/school.PNG b/education/windows/images/school.PNG
new file mode 100644
index 0000000000..f8be255a05
Binary files /dev/null and b/education/windows/images/school.PNG differ
diff --git a/education/windows/images/setup-app-1-access.png b/education/windows/images/setup-app-1-access.png
new file mode 100644
index 0000000000..1de1081d1d
Binary files /dev/null and b/education/windows/images/setup-app-1-access.png differ
diff --git a/education/windows/images/setup-app-1-usb.png b/education/windows/images/setup-app-1-usb.png
new file mode 100644
index 0000000000..b2d170244f
Binary files /dev/null and b/education/windows/images/setup-app-1-usb.png differ
diff --git a/education/windows/images/setup-app-1-wifi-manual.png b/education/windows/images/setup-app-1-wifi-manual.png
new file mode 100644
index 0000000000..92de4f784c
Binary files /dev/null and b/education/windows/images/setup-app-1-wifi-manual.png differ
diff --git a/education/windows/images/setup-app-1-wifi.png b/education/windows/images/setup-app-1-wifi.png
new file mode 100644
index 0000000000..9f305e081c
Binary files /dev/null and b/education/windows/images/setup-app-1-wifi.png differ
diff --git a/education/windows/images/setup-app-1.PNG b/education/windows/images/setup-app-1.PNG
new file mode 100644
index 0000000000..1b88c5ac31
Binary files /dev/null and b/education/windows/images/setup-app-1.PNG differ
diff --git a/education/windows/images/setup-app-2-directions.png b/education/windows/images/setup-app-2-directions.png
new file mode 100644
index 0000000000..f245aafb2b
Binary files /dev/null and b/education/windows/images/setup-app-2-directions.png differ
diff --git a/education/windows/images/setup-app-3-directions.png b/education/windows/images/setup-app-3-directions.png
new file mode 100644
index 0000000000..f593ea7371
Binary files /dev/null and b/education/windows/images/setup-app-3-directions.png differ
diff --git a/education/windows/images/setup-app-all-done.png b/education/windows/images/setup-app-all-done.png
new file mode 100644
index 0000000000..af7343f0e5
Binary files /dev/null and b/education/windows/images/setup-app-all-done.png differ
diff --git a/education/windows/images/setupmsg.jpg b/education/windows/images/setupmsg.jpg
new file mode 100644
index 0000000000..12935483c5
Binary files /dev/null and b/education/windows/images/setupmsg.jpg differ
diff --git a/education/windows/images/sign-in-prov.png b/education/windows/images/sign-in-prov.png
new file mode 100644
index 0000000000..55c9276203
Binary files /dev/null and b/education/windows/images/sign-in-prov.png differ
diff --git a/education/windows/images/signin.jpg b/education/windows/images/signin.jpg
new file mode 100644
index 0000000000..ad31bb31c4
Binary files /dev/null and b/education/windows/images/signin.jpg differ
diff --git a/education/windows/images/take-a-test-flow.png b/education/windows/images/take-a-test-flow.png
new file mode 100644
index 0000000000..a5135c1822
Binary files /dev/null and b/education/windows/images/take-a-test-flow.png differ
diff --git a/education/windows/images/teacher-get-app.PNG b/education/windows/images/teacher-get-app.PNG
new file mode 100644
index 0000000000..329607edb9
Binary files /dev/null and b/education/windows/images/teacher-get-app.PNG differ
diff --git a/education/windows/images/teacher.PNG b/education/windows/images/teacher.PNG
new file mode 100644
index 0000000000..286d515624
Binary files /dev/null and b/education/windows/images/teacher.PNG differ
diff --git a/education/windows/images/test-account-icd.PNG b/education/windows/images/test-account-icd.PNG
new file mode 100644
index 0000000000..4fd9bf3f28
Binary files /dev/null and b/education/windows/images/test-account-icd.PNG differ
diff --git a/education/windows/images/trust-package.png b/education/windows/images/trust-package.png
new file mode 100644
index 0000000000..8a293ea4da
Binary files /dev/null and b/education/windows/images/trust-package.png differ
diff --git a/education/windows/images/who-owns-pc.png b/education/windows/images/who-owns-pc.png
new file mode 100644
index 0000000000..d3ce1def8d
Binary files /dev/null and b/education/windows/images/who-owns-pc.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
new file mode 100644
index 0000000000..7d914b1ed4
--- /dev/null
+++ b/education/windows/index.md
@@ -0,0 +1,30 @@
+---
+title: Windows 10 for Education (Windows 10)
+description: Learn about using Windows 10 in schools.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Windows 10 for Education
+[Windows 10 Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things.
+
+[Find out how to get Windows 10 Education for your school.](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
+
+## In this section
+
+|Topic |Description |
+|------|------------|
+| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | Learn how the Set up School PCs app works and how to use it. |
+| [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) | See the changes that the Set up School PCs app makes to a PC. |
+| [Get Minecraft Education Edition](get-minecraft-for-education.md) | Learn how to get early access to **Minecraft Education Edition**. |
+| [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 |
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. |
+| [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. |
+
+## Related topics
+
+- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
+- [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356)
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
new file mode 100644
index 0000000000..5c18b9e201
--- /dev/null
+++ b/education/windows/school-get-minecraft.md
@@ -0,0 +1,206 @@
+---
+title: For IT administrators get Minecraft Education Edition
+description: Learn how IT admins can get and distribute Minecraft in their schools.
+keywords: ["school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# For IT administrators: get Minecraft Education Edition
+
+**Applies to:**
+
+- Windows 10
+
+When you sign up for early access to [Minecraft Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
+
+> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 subscription when you request Minecraft Education Edition.
+
+## Add Minecraft to your Windows Store for Business
+
+1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**.
+
+ 
+
+2. Enter your email address.
+
+ 
+
+ - If your email address isn't associated to an Azure AD or Office 365 tenant, you'll be asked to fill in a form. The information will be used to create an Office 365 subscription for your school.
+
+3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
+
+ 
+
+4. Sign in to Windows Store for Business with your email address.
+
+5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
+
+6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
+
+ 
+
+## Distribute Minecraft
+
+After Minecraft Education Edition is added to your Windows Store for Business, you have three options:
+
+- You can install the app on your PC.
+- You can assign the app to others.
+- You can download the app to distribute.
+
+
+
+### Install for me
+You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app.
+
+1. Sign in to Windows Store for Business.
+2. Click **Manage**, and then click **Install for me**.
+
+ 
+
+3. Click **Install**.
+
+### Assign to others
+Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can
+
+**To assign to others**
+1. Sign in to Windows Store for Business.
+2. Click **Manage**.
+
+ 
+4. Click **Assign to people**.
+
+ 
+5. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
+
+ You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
+
+ 
+
+**To finish Minecraft install (for students)**
+
+Students will receive an email with a link that will install the app on their PC.
+
+
+
+1. Click **Get the app** to start the app install in Windows Store app.
+2. In Windows Store app, click **Install**.
+
+ 
+
+After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**.
+
+
+
+When students click **My Libarary** they'll find apps assigned to them.
+
+
+
+### Download for others
+Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for younger students, and for shared computers. Choose this option when:
+- You have administrative permissions to install apps on the PC.
+- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs.
+- Your students share Windows 10 computers, but sign in with their own Windows account.
+
+**Requirements**
+- Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app.
+- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition.
+
+**Check for updates**
+Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Windows Store apps.
+
+**To check for app updates**
+1. Start Windows Store app on the PC (click **Start**, and type **Store**).
+2. Click the account button, and then click **Downloads and updates**.
+
+ 
+
+3. Click **Check for updates**, and install all available updates.
+
+ 
+
+4. Restart the computer before installing Minecraft: Education Edition.
+
+**To download for others**
+You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC.
+
+1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
+
+ 
+
+2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
+3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
+4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**.
+5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install.
+6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
+
+
+## Manage Minecraft Education Edition
+
+### Access to Windows Store for Business
+By default, when a teacher with a work or school account in your edu tenant acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
+
+However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purachaser** role. You can configure this with the **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page.
+
+To prevent educators from automatically signing up for Windows Store for Business
+1. In Windows Store for Business, click **Settings**, and then click **Permissions**.
+
+ 
+
+2. Click **Allow educators in my organization to sign up for the Windows Store for Business.**
+
+### Roles and permissions
+Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**. When a teacher has been granted this role, they can:
+- View the Minecraft product description page
+- Acquire and manage the app
+- Info on Support page (including links to documentation and access to support through customer service)
+
+
+
+**To assign Basic Purchaser role**
+
+1. Sign in to Store for Business
+
+ **Note**
+ You need to be a Global Administrator, or have the Store for Business Admin role to access the Permissions page.
+
+2. Click **Settings**, and then choose **Permissions**.
+
+ 
+
+3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
+
+ 
+
+ Windows Store for Business updates the list of people and permissions.
+
+ 
+
+## Private store
+
+When you create you Windows Store for Business account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use.
+
+These apps will automatically be in your private store:
+- Word mobile
+- Excel mobile
+- PowerPoint mobile
+- OneNote
+- Sway
+- Fresh Paint
+- Minecraft: Education Edition
+
+As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
+
+## Learn more
+
+[Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business)
+
+[Troubleshoot Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/troubleshoot-windows-store-for-business)
+
+## Related topics
+
+[Get Minecraft Education Edition](get-minecraft-for-education.md)
+
+[For teachers get Minecraft Education Edition](teacher-get-minecraft.md)
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
new file mode 100644
index 0000000000..80c86ba360
--- /dev/null
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -0,0 +1,265 @@
+---
+title: Set up School PCs app technical reference
+description: Describes the changes that the Set up School PCs app makes to a PC.
+keywords: shared cart, shared PC, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Technical reference for the Set up School PCs app (Preview)
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+
+> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]
+
+The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic.
+
+If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.
+
+The following table tells you what you get using the **Set up School PCs** app in your school.
+
+| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium |
+| --- | :---: | :---: | :---: | :---: |
+| **Fast sign-in** Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X |
+| **Custom Start experience**\* The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X |
+| **Temporary access, no sign-in required** This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
+| **School policies**\* Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X |
+| **Azure AD Join** The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X |
+| **Single sign-on to Office 365** By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X |
+| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD** Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X |
+| | | | | |
+\* Feature applies to Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU
+
+> **Note**: If your school uses Active Directory, use Windows Imaging and Configuration Designer to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain.
+
+## Prerequisites for IT
+
+* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give the teacher appropriate privileges for joining devices or make a special account.
+* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan)
+* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
+* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System (SIS).
+
+
+## Information about Windows Update
+
+Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the **Set up School PCs** app, shared PC mode sets the power states and Windows Update to:
+* Wake nightly
+* Check and install updates
+* Forcibly reboot if necessary to finish applying updates
+
+The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots.
+
+## Guidance for accounts on shared PCs
+
+* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
+* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
+* On a Windows PC joined to Azure Active Directory:
+ * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
+ * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+* If admin accounts are necessary on the PC
+ * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
+ * Create admin accounts before setting up shared PC mode, or
+ * Create exempt accounts before signing out.
+* The account management service supports accounts that are exempt from deletion.
+ * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
+ * To add the account SID to the registry key using PowerShell:
+ ```
+ $adminName = "LocalAdmin"
+ $adminPass = 'Pa$$word123'
+ iex "net user /add $adminName $adminPass"
+ $user = New-Object System.Security.Principal.NTAccount($adminName)
+ $sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
+ $sid = $sid.Value;
+ New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
+ ```
+
+
+## Custom images
+Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the **Set up School PCs** provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
+
+## Provisioning package details
+
+The **Set up School PCs** app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx).
+
+### Education customizations
+
+- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud.
+- A custom Start layout and sign in background image are set.
+- Prohibits Microsoft Accounts (MSAs) from being created.
+- Prohibits unlocking the PC to developer mode.
+- Prohibits untrusted Windows Store apps from being installed.
+- Prohibits students from removing MDM.
+- Prohibits students from adding new provisioning packages.
+- Prohibits student from removing existing provisioning packages (including the one set by **Set up School PCs**).
+- Sets active hours from 6 AM to 6 PM.
+- Sets Windows Update to update nightly.
+
+
+### Uninstalled apps
+
+- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe)
+- Weather (Microsoft.BingWeather_8wekyb3d8bbwe)
+- Get Started (Microsoft.Getstarted_8wekyb3d8bbwe)
+- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)
+- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)
+- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe)
+- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)
+- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe)
+- Groove Music (Microsoft.ZuneMusic_8wekyb3d8bbwe)
+- Movies & TV (Microsoft.ZuneVideo_8wekyb3d8bbwe)
+- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe)
+
+### Local Group Policies
+
+> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+
+
+
Policy path
+
Policy name
Value
+
+
+
Admin Templates > Control Panel > Personalization
+
+
Prevent enabling lock screen slide show
Enabled
+
+
Prevent changing lock screen and logon image
Enabled
+
+
Admin Templates > System > Power Management > Button Settings
+
+
Select the Power button action (plugged in)
Sleep
+
+
Select the Power button action (on battery)
Sleep
+
+
Select the Sleep button action (plugged in)
Sleep
+
+
Select the lid switch action (plugged in)
Sleep
+
+
Select the lid switch action (on battery)
Sleep
+
+
Admin Templates > System > Power Management > Sleep Settings
+
+
Require a password when a computer wakes (plugged in)
Enabled
+
+
Require a password when a computer wakes (on battery)
Enabled
+
+
Specify the system sleep timeout (plugged in)
1 hour
+
+
Specify the system sleep timeout (on battery)
1 hour
+
+
Turn off hybrid sleep (plugged in)
Enabled
+
+
Turn off hybrid sleep (on battery)
Enabled
+
+
Specify the unattended sleep timeout (plugged in)
1 hour
+
+
Specify the unattended sleep timeout (on battery)
1 hour
+
+
Allow standby states (S1-S3) when sleeping (plugged in)
Enabled
+
+
Allow standby states (S1-S3) when sleeping (on battery)
Enabled
+
+
Specify the system hibernate timeout (plugged in)
Enabled, 0
+
+
Specify the system hibernate timeout (on battery)
Enabled, 0
+
+
Admin Templates>System>Power Management>Video and Display Settings
+
Turn off the display (plugged in)
1 hour
+
+
Turn off the display (on battery
1 hour
+
+
Admin Templates>System>Logon
+
+
Show first sign-in animation
Disabled
+
+
Hide entry points for Fast User Switching
Enabled
+
+
Turn on convenience PIN sign-in
Disabled
+
+
Turn off picture password sign-in
Enabled
+
+
Turn off app notification on the lock screen
Enabled
+
+
Allow users to select when a password is required when resuming from connected standby
Disabled
+
+
Block user from showing account details on sign-in
Enabled
+
+
Admin Templates>System>User Profiles
+
+
Turn off the advertising ID
Enabled
+
+
Admin Templates>Windows Components
+
+
Do not show Windows Tips
Enabled
+
+
Turn off Microsoft consumer experiences
Enabled
+
+
Microsoft Passport for Work
Disabled
+
+
Prevent the usage of OneDrive for file storage
Enabled
+
+
Admin Templates>Windows Components>Biometrics
+
+
Allow the use of biometrics
Disabled
+
+
Allow users to log on using biometrics
Disabled
+
+
Allow domain users to log on using biometrics
Disabled
+
+
Admin Templates>Windows Components>Data Collection and Preview Builds
+
+
Toggle user control over Insider builds
Disabled
+
+
Disable pre-release features or settings
Disabled
+
+
Do not show feedback notifications
Enabled
+
+
Admin Templates > Windows Components > File Explorer
+
+
Show lock in the user tile menu
Disabled
+
+
Admin Templates > Windows Components > Maintenance Scheduler
+
+
Automatic Maintenance Activation Boundary
12am
+
+
Automatic Maintenance Random Delay
Enabled, 2 hours
+
+
Automatic Maintenance WakeUp Policy
Enabled
+
+
Admin Templates > Windows Components > Microsoft Edge
+
+
Open a new tab with an empty tab
Disabled
+
+
Configure corporate home pages
Enabled, about:blank
+
+
Admin Templates > Windows Components > Search
+
+
Allow Cortana
Disabled
+
+
Windows Settings > Security Settings > Local Policies > Security Options
+
+
Accounts: Block Microsoft accounts
Enabled
+
+
Interactive logon: Do not display last user name
Enabled
+
+
Interactive logon: Sign-in last interactive user automatically after a system-initiated restart
Disabled
+
+
Shutdown: Allow system to be shut down without having to log on
Disabled
+
+
User Account Control: Behavior of the elevation prompt for standard users
Auto deny
+
+
+
+
+## Related topics
+
+[Use Set up School PCs app](use-set-up-school-pcs-app.md)
+
+
+
+
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
new file mode 100644
index 0000000000..d10f638e00
--- /dev/null
+++ b/education/windows/take-a-test-app-technical.md
@@ -0,0 +1,83 @@
+---
+title: Take a Test app technical reference
+description: The policies and settings applied by the Take a Test app.
+keywords: shared cart, shared PC, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Take a Test app technical reference (Preview)
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+
+> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]
+
+Take a Test is an app that locks down the PC and displays an online assessment web page.
+
+Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments
+
+Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. (Link to Javascript API when available)
+
+## PC lockdown for assessment
+
+ When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app will not be above lock and won't have any of the policies applied.
+
+When running above the lock screen:
+- The app runs full screen with no chrome
+
+- The hardware print screen button is disabled
+
+- Content within the app will show up as black in screen capturing/sharing software Copy/paste is disabled
+
+- Web apps can query the processes currently running in the user’s device
+
+- Extended display shows up as black
+
+- Auto-fill is disabled
+
+## Mobile device management (MDM) policies
+
+When Take a Test is running, the following MDM policies are applied to lock down the PC.
+
+| Policy | Description | Value |
+|---|---|---|
+| AllowToasts | Disables toast notifications from being shown | 0 |
+| AllowAppStoreAutoUpdate | Disables automatic updates for Windows Store apps that are installed on the PC | 0 |
+| AllowDeviceDiscovery | Disables UI for screen sharing | 0 |
+| AllowInput Panel | Disables the onscreen keyboard which will disable auto-fill | 0 |
+| AllowCortana | Disables Cortana functionality | 0 |
+| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
+
+## Allowed functionality
+
+When Take a Test is running, the following functionality is available to students:
+
+- Assistive technology that is configured to run above the lock screen should run as expected
+
+- Narrator is available through Windows key + Enter
+
+- Magnifier is available through Windows key + "+" key
+
+ - Full screen mode is compatible
+
+- The student can press Alt+Tab when locked down. This results in the student being able to switch between the following:
+
+ - Take a Test
+ - Assistive technology that may be running
+ - Lock Screen (not available if student is using a dedicated test account)
+ > **Note** The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated.
+
+- The student can exit the test by pressing one of the following key combinations:
+
+ - Ctrl+Alt+Del
+
+ - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account)
+
+
+
+
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
new file mode 100644
index 0000000000..e4ba7eb6ed
--- /dev/null
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -0,0 +1,216 @@
+---
+title: Set up Take a Test on multiple PCs
+description: Learn how to set up and use the Take a Test app on multiple PCs.
+keywords: ["shared cart", "shared PC", "school"]
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Set up Take a Test on multiple PCs (Preview)
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+
+> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]
+
+Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
+
+- A Microsoft Edge browser window opens, showing just the test and nothing else.
+- Students aren’t able to go to other websites.
+- Students can’t open or access other apps.
+- Students can't share, print, or record their screens.
+- Students can’t copy or paste.
+- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
+- Cortana is turned off.
+
+
+**Take a Test** is included in version 1607 of Windows 10 Pro, Pro Education, Education and Enterprise.
+
+## How you use Take a Test
+
+
+
+- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
+- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+
+## Set up a dedicated test account
+
+To configure a dedicated test account on multiple PCs, you can use:
+- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager)
+- [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD)
+- [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script
+
+
+### Set up test account in MDM or Configuration Manager
+
+1. Launch your management console.
+2. Create a policy to set up single app kiosk mode, using the following values:
+
+ - **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp
+ - **String value** = {"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
+
+ > Account can be in one of the following formats:
+ > - username
+ > - domain\username
+ > - computer name\\username
+ > - username@tenant.com
+
+3. Create a policy to configure the assessment URL, using the following values:
+
+ - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI
+ - **String value** = *assessment URL*
+ > See [Assessment URLs](#assessment-urls)
+
+4. Create a policy that associates the assessment URL to the account, using the following values:
+
+ - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount
+ - **String value** = Enter the account that you specified in step 2, using the same account format.
+
+5. To take the test, the student signs in to the test account.
+
+### Set up test account in a provisioning package
+
+Prerequisite: You must first [download the Windows ADK](https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx) for Windows 10, Version 1607, and install Windows Imaging and Configuration Designer (ICD).
+
+**Create a provisioning package to set up a test account
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+2. Select **Advanced provisioning**.
+3. Name your project, and click **Next**.
+4. Select **All Windows desktop editions**, and click **Next**.
+5. Click **Finish**.
+6. Go to **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**.
+7. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up, as shown in the following image.
+
+ 
+ > Account can be in one of the following formats:
+ > - username
+ > - domain\username
+ > - computer name\\username
+ > - username@tenant.com
+
+8. Go to **Runtime settings** > **TakeATest**.
+9. Enter the test URL in **LaunchURI**.
+10. Enter the test account from step 7 in **TesterAccount**.
+On the **File** menu, select **Save.**
+
+9. On the **Export** menu, select **Provisioning package**.
+
+10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
+
+ Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+ If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+ **Apply the provisioning package**
+
+ 1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
+
+2. Consent to allow the package to be installed.
+
+ After you allow the package to be installed, the settings will be applied to the device
+
+[Learn how to apply a provisioning package in audit mode or OOBE.](http://go.microsoft.com/fwlink/p/?LinkID=692012)
+
+### Set up test account in Group Policy
+
+To set up a test account using Group Policy, first create a Powershell script that configures the test account and test URL, and then create a scheduled task to run the script.
+
+#### Create a Powershell script
+
+This sample Powershell script configures the test account and the test URL. Edit the sample to:
+- Use your test account for **$obj.LaunchURI**
+- Use your test URL for **$obj.TesterAccount**
+- Use your test account for **-UserName**
+
+```
+$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
+$obj.LaunchURI='http://www.foo.com';
+$obj.TesterAccount='TestAccount';
+$obj.put()
+Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
+```
+
+
+#### Create a scheduled task in Group Policy
+
+1. Open the Group Policy Management Console.
+2. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click **Edit**.
+3. In the console tree under **Computer Configuration** or **User Configuration**, go to **Preferences** > **Control Panel Settings**.
+4. Right-click **Scheduled Tasks**, point to **New**, and select **Scheduled Task**.
+5. In the **New Scheduled Task Properties** dialog box, click **Change User or Group**.
+6. In the **Select User or Group** dialog box, click **Advanced**.
+7. In the **Advanced** dialog box, click **Find Now**.
+8. Select **System** in the search results
+9. Go back to the **Properties** dialog box and select **Run with highest privileges** under **Security options**.
+9. Specify the operating system in the **Configure for** field.
+9. Navigate to the **Actions** tab.
+9. Create a new **Action**.
+9. Configure the action to **Start a program**.
+9. In the **Program/script** field, enter **powershell**.
+9. In the **Add arguments** field, enter **-file “”**.
+9. Click **OK**.
+9. Navigate to the **Triggers** tab and create a new trigger.
+9. Specify the trigger to be **On a schedule**.
+9. Specify the trigger to be **One time**.
+9. Specify the time the trigger should start.
+9. Click **OK**.
+9. In the **Settings** tab, select **Run task as soon as possible after a scheduled start is missed**.
+9. Click **OK**.
+
+
+
+## Provide link to test
+
+Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
+
+1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
+```
+ms-edu-secureassessment:!enforceLockdown
+ ```
+ > **Note**: You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+
+2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing.
+3. To take the test, the student clicks on the link and provides user consent.
+
+
+
+## Assessment URLs
+
+This assessment URL uses our lockdown API:
+
+- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/).
+
+
+## Related topics
+
+[Take tests in Windows 10](take-tests-in-windows-10.md)
+
+[Set up Take a Test on a single PC](take-a-test-single-pc.md)
+
+[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
+
+[Take a Test app technical reference](take-a-test-app-technical.md)
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
new file mode 100644
index 0000000000..f0d2f288c7
--- /dev/null
+++ b/education/windows/take-a-test-single-pc.md
@@ -0,0 +1,86 @@
+---
+title: Set up Take a Test on a single PC
+description: Learn how to set up and use the Take a Test app on a single PC.
+keywords: shared cart, shared PC, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Set up Take a Test on a single PC (Preview)
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+
+> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]
+
+The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
+
+- A Microsoft Edge browser window opens, showing just the test and nothing else.
+- Students aren’t able to go to other websites.
+- Students can’t open or access other apps.
+- Students can't share, print, or record their screens.
+- Students can’t copy or paste.
+- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
+- Cortana is turned off.
+
+> **Tip!**
+> To exit **Take a Test**, press Ctrl+Alt+Delete.
+
+**Take a Test** is included in version 1607 of Windows 10 Pro, Pro Education, Education and Enterprise.
+
+## How you use Take a Test
+
+
+
+- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
+- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+
+## Set up a dedicated test account
+
+
+
+
+
+
+1. Sign into the device with an administrator account.
+2. Go to **Settings** > **Accounts** > **Work or school access** > **Set up an account for taking tests**.
+3. Select an existing account to use as the dedicated testing account.
+ >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+4. Specify an assessment URL.
+
+5. Click **Save**.
+
+6. To take the test, the student signs in to the selected account.
+
+
+
+
+## Provide link to test
+
+Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
+
+1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
+```
+ms-edu-secureassessment:!enforceLockdown
+ ```
+
+2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing.
+3. To take the test, the student clicks on the link and provides user consent.
+
+
+## Related topics
+[Take tests in Windows 10](take-tests-in-windows-10.md)
+
+[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
+
+[Take a Test app technical reference](take-a-test-app-technical.md)
+
+
+
+
+
+
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
new file mode 100644
index 0000000000..bfac8bcc33
--- /dev/null
+++ b/education/windows/take-tests-in-windows-10.md
@@ -0,0 +1,51 @@
+---
+title: Take tests in Windows 10
+description: Learn how to set up and use the Take a Test app.
+keywords: shared cart, shared PC, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Take tests in Windows 10 (Preview)
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+
+> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]
+
+Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
+
+- **Take a Test** shows just the test and nothing else.
+- Students aren’t able to go to other websites.
+- Students can’t open or access other apps.
+- Students can't share, print, or record their screens.
+- Students can’t copy or paste.
+- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
+- Cortana is turned off.
+
+
+**Take a Test** is included in version 1607 of Windows 10 Pro, Pro Education, Education and Enterprise.
+
+## How you use Take a Test
+
+
+
+- **Use a test URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
+- **Put a test URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+
+[Learn how to set up Take a Test on a single PC](take-a-test-single-pc.md)
+
+[Learn how to set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
+
+
+
+## Related topics
+
+[Take a Test app technical reference](take-a-test-app-technical.md)
+
+
+
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
new file mode 100644
index 0000000000..c9c386545b
--- /dev/null
+++ b/education/windows/teacher-get-minecraft.md
@@ -0,0 +1,159 @@
+---
+title: For teachers get Minecraft Education Edition
+description: Learn how teachers can get and distribute Minecraft.
+keywords: ["school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# For teachers: get Minecraft Education Edition
+
+**Applies to:**
+
+- Windows 10
+
+Learn how teachers can get and distribute Minecraft: Education Edition.
+
+## Add Minecraft to your Windows Store for Business
+
+1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**.
+
+ 
+
+2. Enter your email address.
+
+ 
+
+3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
+
+ 
+
+4. Sign in to Windows Store for Business with your email address.
+
+5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
+
+6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft Education Edition** in your Store inventory.
+
+ 
+
+## Distribute Minecraft
+
+After Minecraft Education Edition is added to your Windows Store for Business, you have three options:
+
+- You can install the app on your PC.
+- You can assign the app to others.
+- You can download the app to distribute.
+
+
+
+### Install for me
+You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
+
+1. Sign in to Windows Store for Business.
+2. Click **Manage**, and then click **Install for me**.
+
+ 
+
+3. Click **Install**.
+
+### Assign to others
+Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school.
+
+**To assign to others**
+1. Sign in to Windows Store for Business.
+2. Click **Manage**.
+
+ 
+
+3. Click **Assign to people**.
+
+ 
+
+4. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
+
+ You can only assign the app to students with work or school accounts. If you don't find the student, contact your IT admin to add a work or school account for the student.
+
+ 
+
+**To finish Minecraft install (for students)**
+
+Students will receive an email with a link that will install the app on their PC.
+
+
+
+1. Click **Get the app** to start the app install in Windows Store app.
+2. In Windows Store app, click **Install**.
+
+ 
+
+ After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**.
+
+ 
+
+ When students click **My Libarary** they'll find apps assigned to them.
+
+ 
+
+### Download for others
+Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for younger students, and for shared computers. Choose this option when:
+- You have administrative permissions to install apps on the PC.
+- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs.
+- Your students share Windows 10 computers, but sign in with their own Windows account.
+
+#### Requirements
+- Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app.
+- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition.
+
+#### Check for updates
+Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Windows Store apps.
+
+**To check for app updates**
+1. Start Windows Store app on the PC (click **Start**, and type **Store**).
+2. Click the account button, and then click **Downloads and updates**.
+
+ 
+
+3. Click **Check for updates**, and install all available updates.
+
+ 
+
+4. Restart the computer before installing Minecraft: Education Edition.
+
+#### To download for others
+You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC.
+
+1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
+
+ 
+
+
+2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
+3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
+4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**.
+5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install.
+6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
+
+#### Troubleshoot
+
+If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edition isn't available, there are a few things that might have happened.
+
+| Problem | Possible cause | Solution |
+|---------|----------------|----------|
+| Script ran, but it doesn't look like the app installed. | There might be pending app updates. | Check for app updates (see steps earlier in this topic). Install updates. Restart PC. Run **InstallMinecraftEducationEdition.bat** again. |
+| App won't install. | AppLocker is configured and preventing app installs. | Contact IT Admin. |
+| App won't install. | Policy prevents users from installing apps on the PC. | Contact IT Admin. |
+| Script starts, but stops quickly. | Policy prevents scripts from running on the PC. | Contact IT Admin. |
+| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app will not be available.| Restart PC. Run **InstallMinecraftEducationEdition.bat** again. If a restart doesn't work, contact your IT Admin. |
+
+
+If you are still having trouble installing the app, you can get more help on our [Support page](http://go.microsoft.com/fwlink/?LinkID=799757).
+
+## Related topics
+
+[Get Minecraft Education Edition](get-minecraft-for-education.md)
+
+[For IT admins: get Minecraft Education Edition](school-get-minecraft.md)
+
+
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
new file mode 100644
index 0000000000..97f0a04fcb
--- /dev/null
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -0,0 +1,143 @@
+---
+title: Use Set up School PCs app
+description: Learn how the Set up School PCs app works and how to use it.
+keywords: shared cart, shared PC, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Use the Set up School PCs app (Preview)
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+
+> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]
+
+Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
+
+
+
+## What does this app do?
+
+The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs:
+* A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
+ * Places tiles for OneNote, Office 365 web apps, Sway, and Microsoft Classroom on the Start menu
+ * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar
+ * Sets Microsoft Edge as the default browser
+ * Uninstalls apps not specific to education, such as Solitaire and Sports
+ * Turns off Offers and tips
+ * Prevents students from adding personal Microsoft accounts to the computer
+* Significantly improves how fast students sign-in.
+* The app connects the PCs to your school’s cloud so IT can manage them (optional).
+* Windows 10 automatically manages accounts no matter how many students use the PC.
+* Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM).
+* Customizes the sign-in screen to support students with IDs and temporary users.
+* Locks down the computer to prevent mischievous activity:
+ * Prevents students from installing apps
+ * Prevents students from removing the computer from the school's device management system
+ * Prevents students from removing the Set up School PCs settings
+
+
+## Tips for success
+
+* **Run the app at work**: For the best results, run the **Set up School PCs** app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions.
+ > **Note**: Don't use **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open wi-fi networks that require the user to accept Terms of Use.
+* **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
+> **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings.
+* **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key.
+
+
+
+If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+* **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc.
+* **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md).
+
+## Set up School PCs app step-by-step
+
+What you need:
+
+- The **Set up School PCs** app, installed on your work computer, connected to your school's network
+- A USB drive, 1 GB or larger
+
+### Create the setup file in the app
+
+The **Set up School PCs** app guides you through the configuration choices for the student PCs.
+
+1. Open the **Set up School PCs** app and select **Start**.
+
+ 
+
+2. Choose **No** to require students to sign in only with an account, or choose **Yes** to allow students to use the PC without an account too, and then select **Next**.
+
+ 
+
+3. Choose a Wi-Fi network from the list and then select **Next**, or choose **Manually connect to a wireless network** to enter the network information yourself.
+
+ 
+
+ - For a manual network connection, enter the network name, security type, and password (if required), and then select **Next**.
+
+ 
+
+4. Insert a USB drive, select it in the app, and then select **Save**.
+
+ 
+
+
+
+### Apply the setup file to PCs
+
+The setup file on your USB drive is named `SetupSchoolPCs.ppkg`, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer.
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select `SetupSchoolPCs.ppkg` and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** and tap **Next**.
+
+ 
+
+10. Your last step is to sign in. Use your Azure AD or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
+
+
+That's it! Sign out and the computer is now ready for students.
+
+## Learn more
+
+See [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) for prerequisites and provisioning details.
+
diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
index d2f8d804fb..81b493e1d2 100644
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@@ -695,6 +695,7 @@ Also…
- The UE-V Windows PowerShell feature of the UE-V Agent requires .NET Framework 4 or higher and Windows PowerShell 3.0 or higher to be enabled. Download Windows PowerShell 3.0 [here](http://go.microsoft.com/fwlink/?LinkId=309609).
- Install .NET Framework 4 or .NET Framework 4.5 on computers that run the Windows 7 or the Windows Server 2008 R2 operating system. The Windows 8, Windows 8.1, and Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
+- The “Delete Roaming Cache” policy for Mandatory profiles is not supported with UE-V and should not be used.
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index 86ea7532e1..ff58491fd1 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -1,5 +1,4 @@
# [Deploy Windows 10](index.md)
-## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
@@ -35,9 +34,11 @@
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
+## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md)
## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
## [Volume Activation [client]](volume-activation-windows-10.md)
### [Plan for volume activation [client]](plan-for-volume-activation-client.md)
@@ -133,4 +134,4 @@
###### [Recognized Environment Variables](usmt-recognized-environment-variables.md)
###### [XML Elements Library](usmt-xml-elements-library.md)
##### [Offline Migration Reference](offline-migration-reference.md)
-
+## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
\ No newline at end of file
diff --git a/windows/deploy/activate-forest-by-proxy-vamt.md b/windows/deploy/activate-forest-by-proxy-vamt.md
index f178e14406..1e852d5221 100644
--- a/windows/deploy/activate-forest-by-proxy-vamt.md
+++ b/windows/deploy/activate-forest-by-proxy-vamt.md
@@ -2,7 +2,7 @@
title: Activate by Proxy an Active Directory Forest (Windows 10)
description: Activate by Proxy an Active Directory Forest
ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/activate-forest-vamt.md b/windows/deploy/activate-forest-vamt.md
index 267e03be9c..082bac639c 100644
--- a/windows/deploy/activate-forest-vamt.md
+++ b/windows/deploy/activate-forest-vamt.md
@@ -2,7 +2,7 @@
title: Activate an Active Directory Forest Online (Windows 10)
description: Activate an Active Directory Forest Online
ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
index 15ae96825a..dbf9a5a617 100644
--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -3,11 +3,11 @@ title: Activate using Active Directory-based activation (Windows 10)
description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
keywords: vamt, volume activation, activation, windows activation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
-author: CFaw
+author: greg-lindsay
---
# Activate using Active Directory-based activation
diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md
index 4c5d735436..9681860156 100644
--- a/windows/deploy/activate-using-key-management-service-vamt.md
+++ b/windows/deploy/activate-using-key-management-service-vamt.md
@@ -3,7 +3,7 @@ title: Activate using Key Management Service (Windows 10)
ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
description:
keywords: vamt, volume activation, activation, windows activation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md
index 91b743947e..2d77f355dc 100644
--- a/windows/deploy/activate-windows-10-clients-vamt.md
+++ b/windows/deploy/activate-windows-10-clients-vamt.md
@@ -3,7 +3,7 @@ title: Activate clients running Windows 10 (Windows 10)
description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643
keywords: vamt, volume activation, activation, windows activation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/active-directory-based-activation-overview.md b/windows/deploy/active-directory-based-activation-overview.md
index 7f47592aa7..9a64d7572a 100644
--- a/windows/deploy/active-directory-based-activation-overview.md
+++ b/windows/deploy/active-directory-based-activation-overview.md
@@ -2,11 +2,11 @@
title: Active Directory-Based Activation Overview (Windows 10)
description: Active Directory-Based Activation Overview
ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
-author: CFaw
+author: greg-lindsay
---
# Active Directory-Based Activation Overview
diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 13a328ea77..5a3eadbc33 100644
--- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -2,8 +2,8 @@
title: Add a Windows 10 operating system image using Configuration Manager (Windows 10)
description: Operating system images are typically the production image used for deployment throughout the organization.
ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
-keywords: ["image, deploy, distribute"]
-ms.prod: W10
+keywords: image, deploy, distribute
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 8e72718b82..de701986b4 100644
--- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -2,8 +2,8 @@
title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
description: In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines.
ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
-keywords: ["deploy, task sequence"]
-ms.prod: W10
+keywords: deploy, task sequence
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/add-manage-products-vamt.md b/windows/deploy/add-manage-products-vamt.md
index 6bbbfaf218..88d5145472 100644
--- a/windows/deploy/add-manage-products-vamt.md
+++ b/windows/deploy/add-manage-products-vamt.md
@@ -2,7 +2,7 @@
title: Add and Manage Products (Windows 10)
description: Add and Manage Products
ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/add-remove-computers-vamt.md b/windows/deploy/add-remove-computers-vamt.md
index eae34332f2..2ad22c3d7f 100644
--- a/windows/deploy/add-remove-computers-vamt.md
+++ b/windows/deploy/add-remove-computers-vamt.md
@@ -2,7 +2,7 @@
title: Add and Remove Computers (Windows 10)
description: Add and Remove Computers
ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/deploy/add-remove-product-key-vamt.md b/windows/deploy/add-remove-product-key-vamt.md
index 5776806c20..d659ae2507 100644
--- a/windows/deploy/add-remove-product-key-vamt.md
+++ b/windows/deploy/add-remove-product-key-vamt.md
@@ -2,7 +2,7 @@
title: Add and Remove a Product Key (Windows 10)
description: Add and Remove a Product Key
ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
index 8a21466ddb..39133a9d8c 100644
--- a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -3,7 +3,7 @@ title: Appendix Information sent to Microsoft during activation (Windows 10)
ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8
description:
keywords: vamt, volume activation, activation, windows activation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
index dab995bb1e..1319888616 100644
--- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
+++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
@@ -3,7 +3,7 @@ title: Assign applications using roles in MDT (Windows 10)
description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer.
ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
keywords: settings, database, deploy
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
index 32a354ad0e..f015c71c1f 100644
--- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
@@ -3,7 +3,7 @@ title: Build a distributed environment for Windows 10 deployment (Windows 10)
description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
keywords: replication, replicate, deploy, configure, remote
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index 3ca65edd17..ce380b474a 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -2,15 +2,26 @@
title: Change history for Deploy Windows 10 (Windows 10)
description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## June 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
+| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated |
+
+## May 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) | New |
+
## December 2015
| New or changed topic | Description |
|----------------------|-------------|
diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
new file mode 100644
index 0000000000..463da5964f
--- /dev/null
+++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
@@ -0,0 +1,168 @@
+---
+title: Configure a PXE server to load Windows PE (Windows 10)
+description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network.
+keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Configure a PXE server to load Windows PE
+
+**Applies to**
+
+- Windows 10
+
+## Summary
+
+This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network.
+
+## Prerequisites
+
+- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](http://go.microsoft.com/fwlink/p/?LinkId=526740) (Windows ADK) installed.
+- A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required.
+- A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download.
+- A file server: A server hosting a network file share.
+
+All four of the roles specified above can be hosted on the same computer or each can be on a separate computer.
+
+## Step 1: Copy Windows PE source files
+
+1. On the deployment computer, click **Start**, and type **deployment**.
+
+2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools.
+
+3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory does not already exist, it will be created.
+
+ ```
+ copype.cmd
+ ```
+
+ For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory:
+
+ ```
+ copype.cmd amd64 C:\winpe_amd64
+ ```
+
+ The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created:
+
+ ```
+ C:\winpe_amd64
+ C:\winpe_amd64\fwfiles
+ C:\winpe_amd64\media
+ C:\winpe_amd64\mount
+ ```
+4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example.
+
+ ```
+ Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
+ ```
+5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**:
+
+ ```
+ net use y: \\PXE-1\TFTPRoot
+ y:
+ md boot
+ ```
+6. Copy the PXE boot files from the mounted directory to the \Boot folder. For example:
+
+ ```
+ copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot
+ ```
+7. Copy the boot.sdi file to the PXE/TFTP server.
+
+ ```
+ copy C:\winpe_amd64\media\boot\boot.sdi y:\boot
+ ```
+8. Copy the bootable Windows PE image (boot.wim) to the \Boot folder.
+
+ ```
+ copy C:\winpe_amd64\media\sources\boot.wim y:\boot
+ ```
+
+## Step 2: Configure boot settings and copy the BCD file
+
+1. Create a BCD store using bcdedit.exe:
+
+ ```
+ bcdedit /createstore c:\BCD
+ ```
+2. Configure RAMDISK settings:
+
+ ```
+ bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
+ bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C:
+ bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi
+ ```
+3. Create a new boot application entry for the Windows PE image:
+
+ ```
+ bcdedit /store c:\BCD /set {GUID1} device ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions}
+ bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe
+ bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions}
+ bcdedit /store c:\BCD /set {GUID1} systemroot \windows
+ bcdedit /store c:\BCD /set {GUID1} detecthal Yes
+ bcdedit /store c:\BCD /set {GUID1} winpe Yes
+ ```
+4. Configure BOOTMGR settings:
+
+ ```
+ bcdedit /store c:\BCD /set {bootmgr} timeout 30
+ bcdedit /store c:\BCD -displayorder {GUID1} -addlast
+ ```
+5. Copy the BCD file to your TFTP server:
+
+ ```
+ copy c:\BCD \\PXE-1\TFTPRoot\Boot
+ ```
+
+Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below.
+
+```
+C:\>bcdedit /store C:\BCD /enum all
+Windows Boot Manager
+--------------------
+identifier {bootmgr}
+description boot manager
+displayorder {a4f89c62-2142-11e6-80b6-00155da04110}
+timeout 30
+
+Windows Boot Loader
+-------------------
+identifier {a4f89c62-2142-11e6-80b6-00155da04110}
+device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
+description winpe boot image
+osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
+systemroot \Windows
+detecthal Yes
+winpe Yes
+
+Setup Ramdisk Options
+---------------------
+identifier {ramdiskoptions}
+description ramdisk options
+ramdisksdidevice boot
+ramdisksdipath \boot\boot.sdi
+```
+
+## PXE boot process summary
+
+The following summarizes the PXE client boot process.
+
+1. A client is directed by DHCP options 066 and 067 to download boot\\wdsnbp.com from the TFTP server.
+2. Wdsnbp.com validates the DHCP/PXE response packet and then the client downloads boot\\pxeboot.com.
+3. Pxeboot.com requires the client to press the F12 key to initiate a PXE boot.
+4. The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
+5. Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present.
+6. Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image.
+7. Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE.
+8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. Using these tools together with a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system.
+
+See Also
+---------
+
+#### Concepts
+
+[Windows PE Walkthroughs](https://technet.microsoft.com/en-us/library/cc748899.aspx)
\ No newline at end of file
diff --git a/windows/deploy/configure-client-computers-vamt.md b/windows/deploy/configure-client-computers-vamt.md
index b3618bac74..704c8d01f9 100644
--- a/windows/deploy/configure-client-computers-vamt.md
+++ b/windows/deploy/configure-client-computers-vamt.md
@@ -2,7 +2,7 @@
title: Configure Client Computers (Windows 10)
description: Configure Client Computers
ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
index 590f112414..a94bee6b7b 100644
--- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
+++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
@@ -3,7 +3,7 @@ title: Configure MDT for UserExit scripts (Windows 10)
description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
keywords: rules, script
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md
index af41a8a1bb..ba84efd5c1 100644
--- a/windows/deploy/configure-mdt-2013-settings.md
+++ b/windows/deploy/configure-mdt-2013-settings.md
@@ -3,7 +3,7 @@ title: Configure MDT settings (Windows 10)
description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
keywords: customize, customization, deploy, features, tools
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md
index 908f92144b..5eeadbbfd6 100644
--- a/windows/deploy/configure-mdt-deployment-share-rules.md
+++ b/windows/deploy/configure-mdt-deployment-share-rules.md
@@ -3,7 +3,7 @@ title: Configure MDT deployment share rules (Windows 10)
description: In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine.
ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
keywords: rules, configuration, automate, deploy
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 049c3e93c2..a5cbfb7886 100644
--- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -2,8 +2,8 @@
title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
-keywords: ["tool, customize, deploy, boot image"]
-ms.prod: W10
+keywords: tool, customize, deploy, boot image
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 03c856a7dc..0838ebde59 100644
--- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -2,9 +2,10 @@
title: Create a task sequence with Configuration Manager and MDT (Windows 10)
description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
-keywords: ["deploy, upgrade, task sequence, install"]
-ms.prod: W10
+keywords: deploy, upgrade, task sequence, install
+ms.prod: w10
ms.mktglfcycl: deploy
+ms.pagetype: mdt
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md
index f81f4eac9a..50ec7f2fcf 100644
--- a/windows/deploy/create-a-windows-10-reference-image.md
+++ b/windows/deploy/create-a-windows-10-reference-image.md
@@ -3,7 +3,7 @@ title: Create a Windows 10 reference image (Windows 10)
description: Creating a reference image is important because that image serves as the foundation for the devices in your organization.
ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
keywords: deploy, deployment, configure, customize, install, installation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index c47ac7bc38..5dbd28f0c8 100644
--- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -2,8 +2,8 @@
title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10)
description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
-keywords: ["deployment, task sequence, custom, customize"]
-ms.prod: W10
+keywords: deployment, task sequence, custom, customize
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
index 23176dbd84..7f92cbc0d8 100644
--- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
@@ -2,8 +2,8 @@
title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10)
description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
-keywords: [eployment, automate, tools, configure
-ms.prod: W10
+keywords: deployment, automate, tools, configure
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
index 0cdf8e0509..2bc874cf8b 100644
--- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -2,8 +2,8 @@
title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences.
ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
-keywords: ["deployment, image, UEFI, task sequence"]
-ms.prod: W10
+keywords: deployment, image, UEFI, task sequence
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index 32ee03ca6c..e3e558c24b 100644
--- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -2,8 +2,8 @@
title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10)
description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
-keywords: ["deployment, custom, boot"]
-ms.prod: W10
+keywords: deployment, custom, boot
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index 765f29c16d..93028930c5 100644
--- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -3,7 +3,7 @@ title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
keywords: deploy, tools, configure, script
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/deploy-windows-to-go.md b/windows/deploy/deploy-windows-to-go.md
index 609ae81687..b4e13c5b8c 100644
--- a/windows/deploy/deploy-windows-to-go.md
+++ b/windows/deploy/deploy-windows-to-go.md
@@ -2,10 +2,11 @@
title: Deploy Windows To Go in your organization (Windows 10)
description: This topic helps you to deploy Windows To Go in your organization.
ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f
-keywords: ["deployment, USB, device, BitLocker, workspace, security, data"]
-ms.prod: W10
+keywords: deployment, USB, device, BitLocker, workspace, security, data
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: mobility
author: mtniehaus
---
diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 67136031be..2ed9de7378 100644
--- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -2,8 +2,8 @@
title: Finalize the operating system configuration for Windows 10 deployment with Configuration Manager (Windows 10)
description: This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
-keywords: ["configure, deploy, upgrade"]
-ms.prod: W10
+keywords: configure, deploy, upgrade
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
index 57d9153cb2..85ad95c548 100644
--- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
@@ -3,7 +3,7 @@ title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment.
ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
keywords: deploy, image, feature, install, tools
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/getting-started-with-the-user-state-migration-tool.md b/windows/deploy/getting-started-with-the-user-state-migration-tool.md
index d83c01ec2d..8dae688326 100644
--- a/windows/deploy/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deploy/getting-started-with-the-user-state-migration-tool.md
@@ -2,10 +2,10 @@
title: Getting Started with the User State Migration Tool (USMT) (Windows 10)
description: Getting Started with the User State Migration Tool (USMT)
ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Getting Started with the User State Migration Tool (USMT)
diff --git a/windows/deploy/import-export-vamt-data.md b/windows/deploy/import-export-vamt-data.md
index aff3d6376f..d33f27e139 100644
--- a/windows/deploy/import-export-vamt-data.md
+++ b/windows/deploy/import-export-vamt-data.md
@@ -2,7 +2,7 @@
title: Import and Export VAMT Data (Windows 10)
description: Import and Export VAMT Data
ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
index a3b28ded45..c6b8e27ed1 100644
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@@ -2,10 +2,10 @@
title: Deploy Windows 10 (Windows 10)
description: Learn about deploying Windows 10 for IT professionals.
ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Deploy Windows 10
@@ -21,9 +21,11 @@ Learn about deploying Windows 10 for IT professionals.
|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
|[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. |
+|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. |
|[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
diff --git a/windows/deploy/install-configure-vamt.md b/windows/deploy/install-configure-vamt.md
index a660854f6f..49b3f8ec44 100644
--- a/windows/deploy/install-configure-vamt.md
+++ b/windows/deploy/install-configure-vamt.md
@@ -2,7 +2,7 @@
title: Install and Configure VAMT (Windows 10)
description: Install and Configure VAMT
ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/install-kms-client-key-vamt.md b/windows/deploy/install-kms-client-key-vamt.md
index f1e5cd2769..9605053d6a 100644
--- a/windows/deploy/install-kms-client-key-vamt.md
+++ b/windows/deploy/install-kms-client-key-vamt.md
@@ -2,7 +2,7 @@
title: Install a KMS Client Key (Windows 10)
description: Install a KMS Client Key
ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/install-product-key-vamt.md b/windows/deploy/install-product-key-vamt.md
index a3f4a3760e..71817b7b80 100644
--- a/windows/deploy/install-product-key-vamt.md
+++ b/windows/deploy/install-product-key-vamt.md
@@ -2,7 +2,7 @@
title: Install a Product Key (Windows 10)
description: Install a Product Key
ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/install-vamt.md b/windows/deploy/install-vamt.md
index 02275fb993..07a9a72b5b 100644
--- a/windows/deploy/install-vamt.md
+++ b/windows/deploy/install-vamt.md
@@ -2,7 +2,7 @@
title: Install VAMT (Windows 10)
description: Install VAMT
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
index 1ad2dbc2bd..4a30f0f74c 100644
--- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
+++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
@@ -4,7 +4,7 @@ description: This topic will help you understand the benefits of integrating the
ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
ms.pagetype: mdt
keywords: deploy, image, customize, task sequence
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/introduction-vamt.md b/windows/deploy/introduction-vamt.md
index ee0060ad4e..3d51c0dd02 100644
--- a/windows/deploy/introduction-vamt.md
+++ b/windows/deploy/introduction-vamt.md
@@ -2,7 +2,7 @@
title: Introduction to VAMT (Windows 10)
description: Introduction to VAMT
ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md
index 7982bb6d03..03f562ac8e 100644
--- a/windows/deploy/key-features-in-mdt-2013.md
+++ b/windows/deploy/key-features-in-mdt-2013.md
@@ -3,7 +3,7 @@ title: Key features in MDT 2013 Update 2 (Windows 10)
description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
keywords: deploy, feature, tools, upgrade, migrate, provisioning
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/kms-activation-vamt.md b/windows/deploy/kms-activation-vamt.md
index 4cd554a80b..beed3fb86f 100644
--- a/windows/deploy/kms-activation-vamt.md
+++ b/windows/deploy/kms-activation-vamt.md
@@ -2,7 +2,7 @@
title: Perform KMS Activation (Windows 10)
description: Perform KMS Activation
ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/local-reactivation-vamt.md b/windows/deploy/local-reactivation-vamt.md
index 2cd36eb80b..72b132e799 100644
--- a/windows/deploy/local-reactivation-vamt.md
+++ b/windows/deploy/local-reactivation-vamt.md
@@ -2,7 +2,7 @@
title: Perform Local Reactivation (Windows 10)
description: Perform Local Reactivation
ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/manage-activations-vamt.md b/windows/deploy/manage-activations-vamt.md
index 1f15048dea..effac81fd1 100644
--- a/windows/deploy/manage-activations-vamt.md
+++ b/windows/deploy/manage-activations-vamt.md
@@ -2,7 +2,7 @@
title: Manage Activations (Windows 10)
description: Manage Activations
ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/manage-product-keys-vamt.md b/windows/deploy/manage-product-keys-vamt.md
index fffe5de77e..a495718fe7 100644
--- a/windows/deploy/manage-product-keys-vamt.md
+++ b/windows/deploy/manage-product-keys-vamt.md
@@ -2,7 +2,7 @@
title: Manage Product Keys (Windows 10)
description: Manage Product Keys
ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/manage-vamt-data.md b/windows/deploy/manage-vamt-data.md
index adbd4c4ec6..00bbd3982f 100644
--- a/windows/deploy/manage-vamt-data.md
+++ b/windows/deploy/manage-vamt-data.md
@@ -2,7 +2,7 @@
title: Manage VAMT Data (Windows 10)
description: Manage VAMT Data
ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md
index 6766bdc104..48f1a250ad 100644
--- a/windows/deploy/mdt-2013-lite-touch-components.md
+++ b/windows/deploy/mdt-2013-lite-touch-components.md
@@ -3,7 +3,7 @@ title: MDT 2013 Update 2 Lite Touch components (Windows 10)
description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10.
ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
keywords: deploy, install, deployment, boot, log, monitor
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/migrate-application-settings.md b/windows/deploy/migrate-application-settings.md
index af79e440f7..6a8ffdc612 100644
--- a/windows/deploy/migrate-application-settings.md
+++ b/windows/deploy/migrate-application-settings.md
@@ -2,10 +2,10 @@
title: Migrate Application Settings (Windows 10)
description: Migrate Application Settings
ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Migrate Application Settings
diff --git a/windows/deploy/migration-store-types-overview.md b/windows/deploy/migration-store-types-overview.md
index cf0c52812e..9ee233402b 100644
--- a/windows/deploy/migration-store-types-overview.md
+++ b/windows/deploy/migration-store-types-overview.md
@@ -2,10 +2,10 @@
title: Migration Store Types Overview (Windows 10)
description: Migration Store Types Overview
ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Migration Store Types Overview
diff --git a/windows/deploy/monitor-activation-client.md b/windows/deploy/monitor-activation-client.md
index 5a3050cb0b..26c8257cc3 100644
--- a/windows/deploy/monitor-activation-client.md
+++ b/windows/deploy/monitor-activation-client.md
@@ -3,11 +3,11 @@ title: Monitor activation (Windows 10)
ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26
description:
keywords: vamt, volume activation, activation, windows activation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
-author: CFaw
+author: greg-lindsay
---
# Monitor activation
diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
index 7802d20b05..12aae5a28c 100644
--- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
@@ -2,8 +2,8 @@
title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10)
description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench.
ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
-keywords: ["deploy, upgrade"]
-ms.prod: W10
+keywords: deploy, upgrade
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/offline-migration-reference.md b/windows/deploy/offline-migration-reference.md
index 6ad60f1704..f54d3b4c7b 100644
--- a/windows/deploy/offline-migration-reference.md
+++ b/windows/deploy/offline-migration-reference.md
@@ -2,10 +2,10 @@
title: Offline Migration Reference (Windows 10)
description: Offline Migration Reference
ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Offline Migration Reference
diff --git a/windows/deploy/online-activation-vamt.md b/windows/deploy/online-activation-vamt.md
index 5f537d3e20..65311aa3e8 100644
--- a/windows/deploy/online-activation-vamt.md
+++ b/windows/deploy/online-activation-vamt.md
@@ -2,7 +2,7 @@
title: Perform Online Activation (Windows 10)
description: Perform Online Activation
ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/plan-for-volume-activation-client.md b/windows/deploy/plan-for-volume-activation-client.md
index 3247677c72..d5ed360f3e 100644
--- a/windows/deploy/plan-for-volume-activation-client.md
+++ b/windows/deploy/plan-for-volume-activation-client.md
@@ -3,7 +3,7 @@ title: Plan for volume activation (Windows 10)
description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca
keywords: vamt, volume activation, activation, windows activation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
index a7b98b2ab3..8f2bbad1b9 100644
--- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
@@ -3,7 +3,7 @@ title: Prepare for deployment with MDT 2013 Update 2 (Windows 10)
description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2.
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
keywords: deploy, system requirements
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index d9735f4ee1..88a8cac968 100644
--- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -2,8 +2,8 @@
title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
-keywords: ["install, configure, deploy, deployment"]
-ms.prod: W10
+keywords: install, configure, deploy, deployment
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/proxy-activation-vamt.md b/windows/deploy/proxy-activation-vamt.md
index c848bcd8ab..ab273007b8 100644
--- a/windows/deploy/proxy-activation-vamt.md
+++ b/windows/deploy/proxy-activation-vamt.md
@@ -2,7 +2,7 @@
title: Perform Proxy Activation (Windows 10)
description: Perform Proxy Activation
ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 7d5143cf31..68b0a74563 100644
--- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -2,8 +2,8 @@
title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2.
ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
-keywords: ["upgrade, install, installation, computer refresh"]
-ms.prod: W10
+keywords: upgrade, install, installation, computer refresh
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
index 70dadf1711..f6ea4a2125 100644
--- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
@@ -3,7 +3,7 @@ title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
keywords: reinstallation, customize, template, script, restore
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/remove-products-vamt.md b/windows/deploy/remove-products-vamt.md
index 8dca272b68..da875ea27e 100644
--- a/windows/deploy/remove-products-vamt.md
+++ b/windows/deploy/remove-products-vamt.md
@@ -2,7 +2,7 @@
title: Remove Products (Windows 10)
description: Remove Products
ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 44bc003fca..b9f521531f 100644
--- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -2,8 +2,8 @@
title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager.
ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
-keywords: ["upgrade, install, installation, replace computer, setup"]
-ms.prod: W10
+keywords: upgrade, install, installation, replace computer, setup
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
index bc78de5970..a862edf501 100644
--- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -3,7 +3,7 @@ title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10)
description: A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer.
ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
keywords: deploy, deployment, replace
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/scenario-kms-activation-vamt.md b/windows/deploy/scenario-kms-activation-vamt.md
index a43796b90b..385af084f9 100644
--- a/windows/deploy/scenario-kms-activation-vamt.md
+++ b/windows/deploy/scenario-kms-activation-vamt.md
@@ -2,7 +2,7 @@
title: Scenario 3 KMS Client Activation (Windows 10)
description: Scenario 3 KMS Client Activation
ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/scenario-online-activation-vamt.md b/windows/deploy/scenario-online-activation-vamt.md
index 69d308ee9c..41dda833ac 100644
--- a/windows/deploy/scenario-online-activation-vamt.md
+++ b/windows/deploy/scenario-online-activation-vamt.md
@@ -2,7 +2,7 @@
title: Scenario 1 Online Activation (Windows 10)
description: Scenario 1 Online Activation
ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/scenario-proxy-activation-vamt.md b/windows/deploy/scenario-proxy-activation-vamt.md
index 8666ae35c6..2e475d02b4 100644
--- a/windows/deploy/scenario-proxy-activation-vamt.md
+++ b/windows/deploy/scenario-proxy-activation-vamt.md
@@ -2,7 +2,7 @@
title: Scenario 2 Proxy Activation (Windows 10)
description: Scenario 2 Proxy Activation
ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
index 5af8715c60..7a76f8cdf7 100644
--- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md
+++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
@@ -3,7 +3,7 @@ title: Set up MDT for BitLocker (Windows 10)
ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38
description:
keywords: disk, encryption, TPM, configure, secure, script
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/sideload-apps-in-windows-10.md b/windows/deploy/sideload-apps-in-windows-10.md
index 63f3fe6fef..6265950f08 100644
--- a/windows/deploy/sideload-apps-in-windows-10.md
+++ b/windows/deploy/sideload-apps-in-windows-10.md
@@ -2,10 +2,11 @@
title: Sideload LOB apps in Windows 10 (Windows 10)
description: Sideload line-of-business apps in Windows 10.
ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+ms.pagetype: mobile
+author: greg-lindsay
---
# Sideload LOB apps in Windows 10
diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
index a8391582fa..a6c8789efb 100644
--- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -3,7 +3,7 @@ title: Simulate a Windows 10 deployment in a test environment (Windows 10)
description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT.
ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
keywords: deploy, script
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/understanding-migration-xml-files.md b/windows/deploy/understanding-migration-xml-files.md
index 528c77f8d3..c03bc14e24 100644
--- a/windows/deploy/understanding-migration-xml-files.md
+++ b/windows/deploy/understanding-migration-xml-files.md
@@ -2,10 +2,10 @@
title: Understanding Migration XML Files (Windows 10)
description: Understanding Migration XML Files
ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Understanding Migration XML Files
diff --git a/windows/deploy/update-product-status-vamt.md b/windows/deploy/update-product-status-vamt.md
index deca904c0c..0e7af45fec 100644
--- a/windows/deploy/update-product-status-vamt.md
+++ b/windows/deploy/update-product-status-vamt.md
@@ -2,7 +2,7 @@
title: Update Product Status (Windows 10)
description: Update Product Status
ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md
index 4a553d8b90..0fbf772bbb 100644
--- a/windows/deploy/update-windows-10-images-with-provisioning-packages.md
+++ b/windows/deploy/update-windows-10-images-with-provisioning-packages.md
@@ -2,10 +2,11 @@
title: Update Windows 10 images with provisioning packages (Windows 10)
description: Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image.
ms.assetid: 3CA345D2-B60A-4860-A3BF-174713C3D3A6
-keywords: ["provisioning", "bulk deployment", "image"]
-ms.prod: W10
+keywords: provisioning, bulk deployment, image
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: mobile
author: jdeckerMS
---
diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 030ab711f2..0f66363610 100644
--- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -2,8 +2,8 @@
title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10)
description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
-keywords: ["upgrade, update, task sequence, deploy"]
-ms.prod: W10
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
ms.mktglfcycl: deploy
author: mtniehaus
---
diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 35b90474ab..18dfaf7fdf 100644
--- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -3,7 +3,7 @@ title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
keywords: upgrade, update, task sequence, deploy
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md
new file mode 100644
index 0000000000..f79c20d4ba
--- /dev/null
+++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md
@@ -0,0 +1,102 @@
+---
+title: Upgrade Windows Phone 8.1 to Windows 10 Mobile in an MDM environment (Windows 10)
+description: This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM.
+keywords: upgrade, update, windows, phone, windows 10, mdm, mobile
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mdt
+author: Jamiejdt
+---
+
+# Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM)
+
+**Applies to**
+
+- Windows 10 Mobile
+
+## Summary
+This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using Mobile Device Management (MDM). To determine if the device is eligible for an upgrade, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article.
+
+The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in.
+
+If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade.
+
+Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the [How to blacklist the Upgrade Advisor app](#howto-blacklist) section in this article. Enterprises that have blacklisted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis.
+
+## More information
+
+To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device.
+
+### Prerequisites
+
+- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile.
+- Device connected to Wi-Fi or cellular network to perform scan for upgrade.
+- Device is already enrolled with an MDM session.
+- Device is able to receive the management policy.
+- MDM is capable of pushing the management policy to devices. Minimum version numbers for some popular MDM providers that support this solution are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0.
+
+### Instructions for the MDM server
+
+The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access.
+
+```
+[HKLM\Software\Microsoft\Provisioning\OMADM]
+"EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2”
+```
+
+
+The complete SyncML command for the solution is as follows. Note: The SyncML may vary, depending on your MDM solution.
+
+```
+SyncML xmlns="SYNCML:SYNCML1.1">
+
+
+ 250
+
+
+ ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade
+
+
+ chr
+
+ d369c9b6-2379-466d-9162-afc53361e3c2
+
+
+
+
+
+```
+
+The OMA DM server policy description is provided in the following table:
+
+|Item |Setting |
+|------|------------|
+| OMA-URI |./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade |
+| Data Type |String |
+| Value |d369c9b6-2379-466d-9162-afc53361e3c2 |
+
+
+After the device consumes the policy, it will be able to receive an available upgrade.
+
+To disable the policy, delete the **OMADM** registry key or set the **EnterpriseUpgrade** string value to anything other than the GUID.
+
+### How to determine whether an upgrade is available for a device
+
+The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO).
+
+We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device.
+
+Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 mobile](https://www.microsoft.com/en/mobile/windows10) page.
+
+### How to blacklist the Upgrade Advisor app
+
+Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows 10 Mobile Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL:
+
+http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07
+
+For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/en-us/windows/dn771706.aspx).
+
+## Related topics
+
+[Windows 10 Mobile and mobile device management](..\manage\windows-10-mobile-and-mdm.md)
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
index 229fb16df0..64e70ced04 100644
--- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
+++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
@@ -3,7 +3,7 @@ title: Use Orchestrator runbooks with MDT (Windows 10)
description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
keywords: web services, database
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mdt
diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 14749270e7..32208d3e25 100644
--- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -4,7 +4,7 @@ description: This topic is designed to teach you how to use the MDT database to
ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46
ms.pagetype: mdt
keywords: database, permissions, settings, configure, deploy
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md
index 4303bd18a1..1e4f5c32b2 100644
--- a/windows/deploy/use-the-volume-activation-management-tool-client.md
+++ b/windows/deploy/use-the-volume-activation-management-tool-client.md
@@ -3,7 +3,7 @@ title: Use the Volume Activation Management Tool (Windows 10)
description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47
keywords: vamt, volume activation, activation, windows activation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/use-vamt-in-windows-powershell.md b/windows/deploy/use-vamt-in-windows-powershell.md
index 1247d95759..01de72d0a6 100644
--- a/windows/deploy/use-vamt-in-windows-powershell.md
+++ b/windows/deploy/use-vamt-in-windows-powershell.md
@@ -2,7 +2,7 @@
title: Use VAMT in Windows PowerShell (Windows 10)
description: Use VAMT in Windows PowerShell
ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md
index 6fbe628335..1d8755df14 100644
--- a/windows/deploy/use-web-services-in-mdt-2013.md
+++ b/windows/deploy/use-web-services-in-mdt-2013.md
@@ -3,7 +3,7 @@ title: Use web services in MDT (Windows 10)
description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
keywords: deploy, web apps
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: mdt
ms.sitesec: library
diff --git a/windows/deploy/usmt-best-practices.md b/windows/deploy/usmt-best-practices.md
index b8772fe9f4..8da6b08353 100644
--- a/windows/deploy/usmt-best-practices.md
+++ b/windows/deploy/usmt-best-practices.md
@@ -2,10 +2,10 @@
title: USMT Best Practices (Windows 10)
description: USMT Best Practices
ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# USMT Best Practices
diff --git a/windows/deploy/usmt-choose-migration-store-type.md b/windows/deploy/usmt-choose-migration-store-type.md
index 3e3f520ceb..5938b48748 100644
--- a/windows/deploy/usmt-choose-migration-store-type.md
+++ b/windows/deploy/usmt-choose-migration-store-type.md
@@ -2,10 +2,10 @@
title: Choose a Migration Store Type (Windows 10)
description: Choose a Migration Store Type
ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Choose a Migration Store Type
diff --git a/windows/deploy/usmt-command-line-syntax.md b/windows/deploy/usmt-command-line-syntax.md
index 8e62c88e30..22cf9c33aa 100644
--- a/windows/deploy/usmt-command-line-syntax.md
+++ b/windows/deploy/usmt-command-line-syntax.md
@@ -2,10 +2,10 @@
title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
description: User State Migration Tool (USMT) Command-line Syntax
ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# User State Migration Tool (USMT) Command-line Syntax
diff --git a/windows/deploy/usmt-common-issues.md b/windows/deploy/usmt-common-issues.md
index d1865b8873..88980d6d7b 100644
--- a/windows/deploy/usmt-common-issues.md
+++ b/windows/deploy/usmt-common-issues.md
@@ -2,10 +2,10 @@
title: Common Issues (Windows 10)
description: Common Issues
ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Common Issues
diff --git a/windows/deploy/usmt-common-migration-scenarios.md b/windows/deploy/usmt-common-migration-scenarios.md
index dd61667933..9262ef9b0f 100644
--- a/windows/deploy/usmt-common-migration-scenarios.md
+++ b/windows/deploy/usmt-common-migration-scenarios.md
@@ -2,10 +2,10 @@
title: Common Migration Scenarios (Windows 10)
description: Common Migration Scenarios
ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Common Migration Scenarios
diff --git a/windows/deploy/usmt-configxml-file.md b/windows/deploy/usmt-configxml-file.md
index dea99cd9e0..4484c03e2d 100644
--- a/windows/deploy/usmt-configxml-file.md
+++ b/windows/deploy/usmt-configxml-file.md
@@ -2,10 +2,10 @@
title: Config.xml File (Windows 10)
description: Config.xml File
ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Config.xml File
diff --git a/windows/deploy/usmt-conflicts-and-precedence.md b/windows/deploy/usmt-conflicts-and-precedence.md
index 9de02f7dca..3b570d51e5 100644
--- a/windows/deploy/usmt-conflicts-and-precedence.md
+++ b/windows/deploy/usmt-conflicts-and-precedence.md
@@ -2,10 +2,10 @@
title: Conflicts and Precedence (Windows 10)
description: Conflicts and Precedence
ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Conflicts and Precedence
diff --git a/windows/deploy/usmt-custom-xml-examples.md b/windows/deploy/usmt-custom-xml-examples.md
index c1fa2bd582..4d60c4903c 100644
--- a/windows/deploy/usmt-custom-xml-examples.md
+++ b/windows/deploy/usmt-custom-xml-examples.md
@@ -2,10 +2,10 @@
title: Custom XML Examples (Windows 10)
description: Custom XML Examples
ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Custom XML Examples
diff --git a/windows/deploy/usmt-customize-xml-files.md b/windows/deploy/usmt-customize-xml-files.md
index 94619ce485..30930f05ad 100644
--- a/windows/deploy/usmt-customize-xml-files.md
+++ b/windows/deploy/usmt-customize-xml-files.md
@@ -2,10 +2,10 @@
title: Customize USMT XML Files (Windows 10)
description: Customize USMT XML Files
ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Customize USMT XML Files
diff --git a/windows/deploy/usmt-determine-what-to-migrate.md b/windows/deploy/usmt-determine-what-to-migrate.md
index 24c81b0742..27ad2ea86d 100644
--- a/windows/deploy/usmt-determine-what-to-migrate.md
+++ b/windows/deploy/usmt-determine-what-to-migrate.md
@@ -2,10 +2,10 @@
title: Determine What to Migrate (Windows 10)
description: Determine What to Migrate
ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Determine What to Migrate
diff --git a/windows/deploy/usmt-estimate-migration-store-size.md b/windows/deploy/usmt-estimate-migration-store-size.md
index 1dbd440416..a331a99c09 100644
--- a/windows/deploy/usmt-estimate-migration-store-size.md
+++ b/windows/deploy/usmt-estimate-migration-store-size.md
@@ -2,10 +2,10 @@
title: Estimate Migration Store Size (Windows 10)
description: Estimate Migration Store Size
ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Estimate Migration Store Size
diff --git a/windows/deploy/usmt-exclude-files-and-settings.md b/windows/deploy/usmt-exclude-files-and-settings.md
index 99918b8c5c..e856679334 100644
--- a/windows/deploy/usmt-exclude-files-and-settings.md
+++ b/windows/deploy/usmt-exclude-files-and-settings.md
@@ -2,10 +2,10 @@
title: Exclude Files and Settings (Windows 10)
description: Exclude Files and Settings
ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Exclude Files and Settings
diff --git a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md
index 8bd8e87680..c679d58b27 100644
--- a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md
@@ -2,10 +2,10 @@
title: Extract Files from a Compressed USMT Migration Store (Windows 10)
description: Extract Files from a Compressed USMT Migration Store
ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Extract Files from a Compressed USMT Migration Store
diff --git a/windows/deploy/usmt-faq.md b/windows/deploy/usmt-faq.md
index e69272bc26..715340a82d 100644
--- a/windows/deploy/usmt-faq.md
+++ b/windows/deploy/usmt-faq.md
@@ -2,10 +2,10 @@
title: Frequently Asked Questions (Windows 10)
description: Frequently Asked Questions
ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Frequently Asked Questions
diff --git a/windows/deploy/usmt-general-conventions.md b/windows/deploy/usmt-general-conventions.md
index ab6c9ad6b3..020557c402 100644
--- a/windows/deploy/usmt-general-conventions.md
+++ b/windows/deploy/usmt-general-conventions.md
@@ -2,10 +2,10 @@
title: General Conventions (Windows 10)
description: General Conventions
ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# General Conventions
diff --git a/windows/deploy/usmt-hard-link-migration-store.md b/windows/deploy/usmt-hard-link-migration-store.md
index afddeaf45d..e65487a0bd 100644
--- a/windows/deploy/usmt-hard-link-migration-store.md
+++ b/windows/deploy/usmt-hard-link-migration-store.md
@@ -2,10 +2,10 @@
title: Hard-Link Migration Store (Windows 10)
description: Hard-Link Migration Store
ms.assetid: b0598418-4607-4952-bfa3-b6e4aaa2c574
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Hard-Link Migration Store
diff --git a/windows/deploy/usmt-how-it-works.md b/windows/deploy/usmt-how-it-works.md
index 8e6b12231e..0c274924a6 100644
--- a/windows/deploy/usmt-how-it-works.md
+++ b/windows/deploy/usmt-how-it-works.md
@@ -2,10 +2,10 @@
title: How USMT Works (Windows 10)
description: How USMT Works
ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# How USMT Works
diff --git a/windows/deploy/usmt-how-to.md b/windows/deploy/usmt-how-to.md
index 4baa318509..1a22d71262 100644
--- a/windows/deploy/usmt-how-to.md
+++ b/windows/deploy/usmt-how-to.md
@@ -2,10 +2,10 @@
title: User State Migration Tool (USMT) How-to topics (Windows 10)
description: User State Migration Tool (USMT) How-to topics
ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# User State Migration Tool (USMT) How-to topics
diff --git a/windows/deploy/usmt-identify-application-settings.md b/windows/deploy/usmt-identify-application-settings.md
index ca14712f31..5fa216f2b3 100644
--- a/windows/deploy/usmt-identify-application-settings.md
+++ b/windows/deploy/usmt-identify-application-settings.md
@@ -2,10 +2,10 @@
title: Identify Applications Settings (Windows 10)
description: Identify Applications Settings
ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Identify Applications Settings
diff --git a/windows/deploy/usmt-identify-file-types-files-and-folders.md b/windows/deploy/usmt-identify-file-types-files-and-folders.md
index 3ab8ded02b..49766ca745 100644
--- a/windows/deploy/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deploy/usmt-identify-file-types-files-and-folders.md
@@ -2,10 +2,10 @@
title: Identify File Types, Files, and Folders (Windows 10)
description: Identify File Types, Files, and Folders
ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Identify File Types, Files, and Folders
diff --git a/windows/deploy/usmt-identify-operating-system-settings.md b/windows/deploy/usmt-identify-operating-system-settings.md
index 232fabdc33..27fd8c0c25 100644
--- a/windows/deploy/usmt-identify-operating-system-settings.md
+++ b/windows/deploy/usmt-identify-operating-system-settings.md
@@ -2,10 +2,10 @@
title: Identify Operating System Settings (Windows 10)
description: Identify Operating System Settings
ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Identify Operating System Settings
diff --git a/windows/deploy/usmt-identify-users.md b/windows/deploy/usmt-identify-users.md
index 1f23cb942d..6d081727c3 100644
--- a/windows/deploy/usmt-identify-users.md
+++ b/windows/deploy/usmt-identify-users.md
@@ -2,10 +2,10 @@
title: Identify Users (Windows 10)
description: Identify Users
ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Identify Users
diff --git a/windows/deploy/usmt-include-files-and-settings.md b/windows/deploy/usmt-include-files-and-settings.md
index 6142749d13..411525684e 100644
--- a/windows/deploy/usmt-include-files-and-settings.md
+++ b/windows/deploy/usmt-include-files-and-settings.md
@@ -2,10 +2,10 @@
title: Include Files and Settings (Windows 10)
description: Include Files and Settings
ms.assetid: 9009c6a5-0612-4478-8742-abe5eb6cbac8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Include Files and Settings
diff --git a/windows/deploy/usmt-loadstate-syntax.md b/windows/deploy/usmt-loadstate-syntax.md
index a82a0b4357..36c3dfb311 100644
--- a/windows/deploy/usmt-loadstate-syntax.md
+++ b/windows/deploy/usmt-loadstate-syntax.md
@@ -2,10 +2,10 @@
title: LoadState Syntax (Windows 10)
description: LoadState Syntax
ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# LoadState Syntax
diff --git a/windows/deploy/usmt-log-files.md b/windows/deploy/usmt-log-files.md
index 89fc388cf9..9796591745 100644
--- a/windows/deploy/usmt-log-files.md
+++ b/windows/deploy/usmt-log-files.md
@@ -2,10 +2,10 @@
title: Log Files (Windows 10)
description: Log Files
ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Log Files
diff --git a/windows/deploy/usmt-migrate-efs-files-and-certificates.md b/windows/deploy/usmt-migrate-efs-files-and-certificates.md
index 43a57ddc5d..d4e2db536f 100644
--- a/windows/deploy/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deploy/usmt-migrate-efs-files-and-certificates.md
@@ -2,10 +2,10 @@
title: Migrate EFS Files and Certificates (Windows 10)
description: Migrate EFS Files and Certificates
ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Migrate EFS Files and Certificates
diff --git a/windows/deploy/usmt-migrate-user-accounts.md b/windows/deploy/usmt-migrate-user-accounts.md
index 25c9490cbc..6c87c9b043 100644
--- a/windows/deploy/usmt-migrate-user-accounts.md
+++ b/windows/deploy/usmt-migrate-user-accounts.md
@@ -2,10 +2,10 @@
title: Migrate User Accounts (Windows 10)
description: Migrate User Accounts
ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Migrate User Accounts
diff --git a/windows/deploy/usmt-migration-store-encryption.md b/windows/deploy/usmt-migration-store-encryption.md
index bb6343401f..1e8ea1a8e0 100644
--- a/windows/deploy/usmt-migration-store-encryption.md
+++ b/windows/deploy/usmt-migration-store-encryption.md
@@ -2,10 +2,10 @@
title: Migration Store Encryption (Windows 10)
description: Migration Store Encryption
ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Migration Store Encryption
diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md
index f3d7f0b860..928044a3cf 100644
--- a/windows/deploy/usmt-overview.md
+++ b/windows/deploy/usmt-overview.md
@@ -2,10 +2,10 @@
title: User State Migration Tool (USMT) Overview (Windows 10)
description: User State Migration Tool (USMT) Overview
ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# User State Migration Tool (USMT) Overview
diff --git a/windows/deploy/usmt-plan-your-migration.md b/windows/deploy/usmt-plan-your-migration.md
index eaed479359..2b6ce76d7f 100644
--- a/windows/deploy/usmt-plan-your-migration.md
+++ b/windows/deploy/usmt-plan-your-migration.md
@@ -2,10 +2,10 @@
title: Plan Your Migration (Windows 10)
description: Plan Your Migration
ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Plan Your Migration
diff --git a/windows/deploy/usmt-recognized-environment-variables.md b/windows/deploy/usmt-recognized-environment-variables.md
index 8246122fd9..edebf602f1 100644
--- a/windows/deploy/usmt-recognized-environment-variables.md
+++ b/windows/deploy/usmt-recognized-environment-variables.md
@@ -2,10 +2,10 @@
title: Recognized Environment Variables (Windows 10)
description: Recognized Environment Variables
ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Recognized Environment Variables
diff --git a/windows/deploy/usmt-reference.md b/windows/deploy/usmt-reference.md
index ffe3b71ef8..753146d6b9 100644
--- a/windows/deploy/usmt-reference.md
+++ b/windows/deploy/usmt-reference.md
@@ -2,10 +2,10 @@
title: User State Migration Toolkit (USMT) Reference (Windows 10)
description: User State Migration Toolkit (USMT) Reference
ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# User State Migration Toolkit (USMT) Reference
diff --git a/windows/deploy/usmt-requirements.md b/windows/deploy/usmt-requirements.md
index ace2abc84a..c8632b0b4a 100644
--- a/windows/deploy/usmt-requirements.md
+++ b/windows/deploy/usmt-requirements.md
@@ -2,10 +2,10 @@
title: USMT Requirements (Windows 10)
description: USMT Requirements
ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# USMT Requirements
diff --git a/windows/deploy/usmt-reroute-files-and-settings.md b/windows/deploy/usmt-reroute-files-and-settings.md
index a948ee7c8c..99dd2eb09c 100644
--- a/windows/deploy/usmt-reroute-files-and-settings.md
+++ b/windows/deploy/usmt-reroute-files-and-settings.md
@@ -2,10 +2,10 @@
title: Reroute Files and Settings (Windows 10)
description: Reroute Files and Settings
ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Reroute Files and Settings
diff --git a/windows/deploy/usmt-resources.md b/windows/deploy/usmt-resources.md
index 0cb115c915..cc268ff816 100644
--- a/windows/deploy/usmt-resources.md
+++ b/windows/deploy/usmt-resources.md
@@ -2,10 +2,10 @@
title: USMT Resources (Windows 10)
description: USMT Resources
ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# USMT Resources
diff --git a/windows/deploy/usmt-return-codes.md b/windows/deploy/usmt-return-codes.md
index 4354a11ca8..365b49b5c7 100644
--- a/windows/deploy/usmt-return-codes.md
+++ b/windows/deploy/usmt-return-codes.md
@@ -2,10 +2,10 @@
title: Return Codes (Windows 10)
description: Return Codes
ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Return Codes
diff --git a/windows/deploy/usmt-scanstate-syntax.md b/windows/deploy/usmt-scanstate-syntax.md
index ff2636ee8c..5083385534 100644
--- a/windows/deploy/usmt-scanstate-syntax.md
+++ b/windows/deploy/usmt-scanstate-syntax.md
@@ -2,10 +2,10 @@
title: ScanState Syntax (Windows 10)
description: ScanState Syntax
ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# ScanState Syntax
diff --git a/windows/deploy/usmt-technical-reference.md b/windows/deploy/usmt-technical-reference.md
index 232f27f2fa..17380ccbb3 100644
--- a/windows/deploy/usmt-technical-reference.md
+++ b/windows/deploy/usmt-technical-reference.md
@@ -2,10 +2,10 @@
title: User State Migration Tool (USMT) Technical Reference (Windows 10)
description: The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# User State Migration Tool (USMT) Technical Reference
@@ -13,6 +13,8 @@ The User State Migration Tool (USMT) 10.0 is included with the Windows Assessme
Download the Windows ADK [from this website](http://go.microsoft.com/fwlink/p/?LinkID=526803).
+**Note**: USMT version 10.1.10586 supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
+
USMT 10.0 includes three command-line tools:
- ScanState.exe
diff --git a/windows/deploy/usmt-test-your-migration.md b/windows/deploy/usmt-test-your-migration.md
index 05e999a34d..e460f17de8 100644
--- a/windows/deploy/usmt-test-your-migration.md
+++ b/windows/deploy/usmt-test-your-migration.md
@@ -2,10 +2,10 @@
title: Test Your Migration (Windows 10)
description: Test Your Migration
ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Test Your Migration
diff --git a/windows/deploy/usmt-topics.md b/windows/deploy/usmt-topics.md
index a58a88b007..4fe5cace86 100644
--- a/windows/deploy/usmt-topics.md
+++ b/windows/deploy/usmt-topics.md
@@ -2,10 +2,10 @@
title: User State Migration Tool (USMT) Overview Topics (Windows 10)
description: User State Migration Tool (USMT) Overview Topics
ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# User State Migration Tool (USMT) Overview Topics
diff --git a/windows/deploy/usmt-troubleshooting.md b/windows/deploy/usmt-troubleshooting.md
index 576f9801c9..33296077f4 100644
--- a/windows/deploy/usmt-troubleshooting.md
+++ b/windows/deploy/usmt-troubleshooting.md
@@ -2,10 +2,10 @@
title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
description: User State Migration Tool (USMT) Troubleshooting
ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# User State Migration Tool (USMT) Troubleshooting
diff --git a/windows/deploy/usmt-utilities.md b/windows/deploy/usmt-utilities.md
index eb9081b082..08df5661f2 100644
--- a/windows/deploy/usmt-utilities.md
+++ b/windows/deploy/usmt-utilities.md
@@ -2,10 +2,10 @@
title: UsmtUtils Syntax (Windows 10)
description: UsmtUtils Syntax
ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# UsmtUtils Syntax
diff --git a/windows/deploy/usmt-what-does-usmt-migrate.md b/windows/deploy/usmt-what-does-usmt-migrate.md
index 83b3851c29..89ba8aa60b 100644
--- a/windows/deploy/usmt-what-does-usmt-migrate.md
+++ b/windows/deploy/usmt-what-does-usmt-migrate.md
@@ -2,10 +2,10 @@
title: What Does USMT Migrate (Windows 10)
description: What Does USMT Migrate
ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# What Does USMT Migrate?
diff --git a/windows/deploy/usmt-xml-elements-library.md b/windows/deploy/usmt-xml-elements-library.md
index 87ffc8c9c3..f4f412fc2a 100644
--- a/windows/deploy/usmt-xml-elements-library.md
+++ b/windows/deploy/usmt-xml-elements-library.md
@@ -2,10 +2,10 @@
title: XML Elements Library (Windows 10)
description: XML Elements Library
ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# XML Elements Library
diff --git a/windows/deploy/usmt-xml-reference.md b/windows/deploy/usmt-xml-reference.md
index 49d7403f8f..4023b52759 100644
--- a/windows/deploy/usmt-xml-reference.md
+++ b/windows/deploy/usmt-xml-reference.md
@@ -2,10 +2,10 @@
title: USMT XML Reference (Windows 10)
description: USMT XML Reference
ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# USMT XML Reference
diff --git a/windows/deploy/vamt-known-issues.md b/windows/deploy/vamt-known-issues.md
index 1e014a3e46..4aa2185e8f 100644
--- a/windows/deploy/vamt-known-issues.md
+++ b/windows/deploy/vamt-known-issues.md
@@ -2,7 +2,7 @@
title: VAMT Known Issues (Windows 10)
description: VAMT Known Issues
ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/vamt-requirements.md b/windows/deploy/vamt-requirements.md
index 9da49547b0..06a8615669 100644
--- a/windows/deploy/vamt-requirements.md
+++ b/windows/deploy/vamt-requirements.md
@@ -2,7 +2,7 @@
title: VAMT Requirements (Windows 10)
description: VAMT Requirements
ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/vamt-step-by-step.md b/windows/deploy/vamt-step-by-step.md
index e886684243..5582bd3417 100644
--- a/windows/deploy/vamt-step-by-step.md
+++ b/windows/deploy/vamt-step-by-step.md
@@ -2,7 +2,7 @@
title: VAMT Step-by-Step Scenarios (Windows 10)
description: VAMT Step-by-Step Scenarios
ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md
index 233beb97f0..ee16be2715 100644
--- a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md
@@ -2,10 +2,10 @@
title: Verify the Condition of a Compressed Migration Store (Windows 10)
description: Verify the Condition of a Compressed Migration Store
ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Verify the Condition of a Compressed Migration Store
diff --git a/windows/deploy/volume-activation-management-tool.md b/windows/deploy/volume-activation-management-tool.md
index 04af72f880..887c116352 100644
--- a/windows/deploy/volume-activation-management-tool.md
+++ b/windows/deploy/volume-activation-management-tool.md
@@ -2,7 +2,7 @@
title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md
index e57043d4ca..eda56e2651 100644
--- a/windows/deploy/volume-activation-windows-10.md
+++ b/windows/deploy/volume-activation-windows-10.md
@@ -3,7 +3,7 @@ title: Volume Activation for Windows 10 (Windows 10)
description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2
keywords: vamt, volume activation, activation, windows activation
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md
index 54221f9de3..e76d648bb0 100644
--- a/windows/deploy/windows-10-deployment-scenarios.md
+++ b/windows/deploy/windows-10-deployment-scenarios.md
@@ -2,8 +2,8 @@
title: Windows 10 deployment scenarios (Windows 10)
description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider.
ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
-keywords: ["upgrade, in-place, configuration, deploy"]
-ms.prod: W10
+keywords: upgrade, in-place, configuration, deploy
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/windows-10-deployment-tools-reference.md b/windows/deploy/windows-10-deployment-tools-reference.md
index e71eedae97..597900fb82 100644
--- a/windows/deploy/windows-10-deployment-tools-reference.md
+++ b/windows/deploy/windows-10-deployment-tools-reference.md
@@ -2,10 +2,10 @@
title: Windows 10 deployment tools reference (Windows 10)
description: Learn about the tools available to deploy Windows 10.
ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Windows 10 deployment tools reference
diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md
index 72baf3a243..8b20a8f77c 100644
--- a/windows/deploy/windows-10-edition-upgrades.md
+++ b/windows/deploy/windows-10-edition-upgrades.md
@@ -2,10 +2,11 @@
title: Windows 10 edition upgrade (Windows 10)
description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+ms.pagetype: mobile
+author: greg-lindsay
---
# Windows 10 edition upgrade
diff --git a/windows/deploy/windows-adk-scenarios-for-it-pros.md b/windows/deploy/windows-adk-scenarios-for-it-pros.md
index 3fb2944f22..8821ada189 100644
--- a/windows/deploy/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deploy/windows-adk-scenarios-for-it-pros.md
@@ -2,10 +2,10 @@
title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Windows ADK for Windows 10 scenarios for IT Pros
diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md
index a66deb1389..ba4f22b7c5 100644
--- a/windows/deploy/windows-deployment-scenarios-and-tools.md
+++ b/windows/deploy/windows-deployment-scenarios-and-tools.md
@@ -2,8 +2,8 @@
title: Windows 10 deployment tools (Windows 10)
description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
-keywords: ["deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS"]
-ms.prod: W10
+keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/windows-upgrade-and-migration-considerations.md b/windows/deploy/windows-upgrade-and-migration-considerations.md
index 2b5ee05766..7763b0502d 100644
--- a/windows/deploy/windows-upgrade-and-migration-considerations.md
+++ b/windows/deploy/windows-upgrade-and-migration-considerations.md
@@ -2,10 +2,10 @@
title: Windows Upgrade and Migration Considerations (Windows 10)
description: Windows Upgrade and Migration Considerations
ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# Windows Upgrade and Migration Considerations
diff --git a/windows/deploy/xml-file-requirements.md b/windows/deploy/xml-file-requirements.md
index 50c5e1b161..100306e84d 100644
--- a/windows/deploy/xml-file-requirements.md
+++ b/windows/deploy/xml-file-requirements.md
@@ -2,10 +2,10 @@
title: XML File Requirements (Windows 10)
description: XML File Requirements
ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: CFaw
+author: greg-lindsay
---
# XML File Requirements
diff --git a/windows/index.md b/windows/index.md
index 08ec4adaa7..ec5ecb7a39 100644
--- a/windows/index.md
+++ b/windows/index.md
@@ -2,7 +2,7 @@
title: Windows 10 and Windows 10 Mobile (Windows 10)
description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
-ms.prod: W10
+ms.prod: w10
author: brianlic-msft
---
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 56f8c27db1..58cc934bd4 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -162,63 +162,326 @@
###### [Monitor claim types](monitor-claim-types.md)
##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
###### [Audit Credential Validation](audit-credential-validation.md)
-###### [Audit Kerberos Authentication Service ](audit-kerberos-authentication-service.md)
+####### [Event 4774 S: An account was mapped for logon.](event-4774.md)
+####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
+####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
+####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)
+###### [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](event-4768.md)
+####### [Event 4771 F: Kerberos pre-authentication failed.](event-4771.md)
+####### [Event 4772 F: A Kerberos authentication ticket request failed.](event-4772.md)
###### [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
-###### [Audit Other Account Logon Events ](audit-other-account-logon-events.md)
+####### [Event 4769 S, F: A Kerberos service ticket was requested.](event-4769.md)
+####### [Event 4770 S: A Kerberos service ticket was renewed.](event-4770.md)
+####### [Event 4773 F: A Kerberos service ticket request failed.](event-4773.md)
+###### [Audit Other Account Logon Events](audit-other-account-logon-events.md)
###### [Audit Application Group Management](audit-application-group-management.md)
###### [Audit Computer Account Management](audit-computer-account-management.md)
+####### [Event 4741 S: A computer account was created.](event-4741.md)
+####### [Event 4742 S: A computer account was changed.](event-4742.md)
+####### [Event 4743 S: A computer account was deleted.](event-4743.md)
###### [Audit Distribution Group Management](audit-distribution-group-management.md)
+####### [Event 4749 S: A security-disabled global group was created.](event-4749.md)
+####### [Event 4750 S: A security-disabled global group was changed.](event-4750.md)
+####### [Event 4751 S: A member was added to a security-disabled global group.](event-4751.md)
+####### [Event 4752 S: A member was removed from a security-disabled global group.](event-4752.md)
+####### [Event 4753 S: A security-disabled global group was deleted.](event-4753.md)
###### [Audit Other Account Management Events](audit-other-account-management-events.md)
+####### [Event 4782 S: The password hash an account was accessed.](event-4782.md)
+####### [Event 4793 S: The Password Policy Checking API was called.](event-4793.md)
###### [Audit Security Group Management](audit-security-group-management.md)
+####### [Event 4731 S: A security-enabled local group was created.](event-4731.md)
+####### [Event 4732 S: A member was added to a security-enabled local group.](event-4732.md)
+####### [Event 4733 S: A member was removed from a security-enabled local group.](event-4733.md)
+####### [Event 4734 S: A security-enabled local group was deleted.](event-4734.md)
+####### [Event 4735 S: A security-enabled local group was changed.](event-4735.md)
+####### [Event 4764 S: A group’s type was changed.](event-4764.md)
+####### [Event 4799 S: A security-enabled local group membership was enumerated.](event-4799.md)
###### [Audit User Account Management](audit-user-account-management.md)
+####### [Event 4720 S: A user account was created.](event-4720.md)
+####### [Event 4722 S: A user account was enabled.](event-4722.md)
+####### [Event 4723 S, F: An attempt was made to change an account's password.](event-4723.md)
+####### [Event 4724 S, F: An attempt was made to reset an account's password.](event-4724.md)
+####### [Event 4725 S: A user account was disabled.](event-4725.md)
+####### [Event 4726 S: A user account was deleted.](event-4726.md)
+####### [Event 4738 S: A user account was changed.](event-4738.md)
+####### [Event 4740 S: A user account was locked out.](event-4740.md)
+####### [Event 4765 S: SID History was added to an account.](event-4765.md)
+####### [Event 4766 F: An attempt to add SID History to an account failed.](event-4766.md)
+####### [Event 4767 S: A user account was unlocked.](event-4767.md)
+####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](event-4780.md)
+####### [Event 4781 S: The name of an account was changed.](event-4781.md)
+####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](event-4794.md)
+####### [Event 4798 S: A user's local group membership was enumerated.](event-4798.md)
+####### [Event 5376 S: Credential Manager credentials were backed up.](event-5376.md)
+####### [Event 5377 S: Credential Manager credentials were restored from a backup.](event-5377.md)
###### [Audit DPAPI Activity](audit-dpapi-activity.md)
+####### [Event 4692 S, F: Backup of data protection master key was attempted.](event-4692.md)
+####### [Event 4693 S, F: Recovery of data protection master key was attempted.](event-4693.md)
+####### [Event 4694 S, F: Protection of auditable protected data was attempted.](event-4694.md)
+####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](event-4695.md)
###### [Audit PNP Activity](audit-pnp-activity.md)
+####### [Event 6416 S: A new external device was recognized by the System.](event-6416.md)
+####### [Event 6419 S: A request was made to disable a device.](event-6419.md)
+####### [Event 6420 S: A device was disabled.](event-6420.md)
+####### [Event 6421 S: A request was made to enable a device.](event-6421.md)
+####### [Event 6422 S: A device was enabled.](event-6422.md)
+####### [Event 6423 S: The installation of this device is forbidden by system policy.](event-6423.md)
+####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](event-6424.md)
###### [Audit Process Creation](audit-process-creation.md)
-###### [Audit Process Termination ](audit-process-termination.md)
+####### [Event 4688 S: A new process has been created.](event-4688.md)
+####### [Event 4696 S: A primary token was assigned to process.](event-4696.md)
+###### [Audit Process Termination](audit-process-termination.md)
+####### [Event 4689 S: A process has exited.](event-4689.md)
###### [Audit RPC Events](audit-rpc-events.md)
+####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](event-5712.md)
###### [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+####### [Event 4928 S, F: An Active Directory replica source naming context was established.](event-4928.md)
+####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](event-4929.md)
+####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](event-4930.md)
+####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](event-4931.md)
+####### [Event 4934 S: Attributes of an Active Directory object were replicated.](event-4934.md)
+####### [Event 4935 F: Replication failure begins.](event-4935.md)
+####### [Event 4936 S: Replication failure ends.](event-4936.md)
+####### [Event 4937 S: A lingering object was removed from a replica.](event-4937.md)
###### [Audit Directory Service Access](audit-directory-service-access.md)
+####### [Event 4662 S, F: An operation was performed on an object.](event-4662.md)
+####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
###### [Audit Directory Service Changes](audit-directory-service-changes.md)
+####### [Event 5136 S: A directory service object was modified.](event-5136.md)
+####### [Event 5137 S: A directory service object was created.](event-5137.md)
+####### [Event 5138 S: A directory service object was undeleted.](event-5138.md)
+####### [Event 5139 S: A directory service object was moved.](event-5139.md)
+####### [Event 5141 S: A directory service object was deleted.](event-5141.md)
###### [Audit Directory Service Replication](audit-directory-service-replication.md)
-###### [Audit Account Lockout ](audit-account-lockout.md)
+####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](event-4932.md)
+####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](event-4933.md)
+###### [Audit Account Lockout](audit-account-lockout.md)
+####### [Event 4625 F: An account failed to log on.](event-4625.md)
###### [Audit User/Device Claims](audit-user-device-claims.md)
+####### [Event 4626 S: User/Device claims information.](event-4626.md)
###### [Audit Group Membership](audit-group-membership.md)
+####### [Event 4627 S: Group membership information.](event-4627.md)
###### [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
###### [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
###### [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
###### [Audit Logoff](audit-logoff.md)
+####### [Event 4634 S: An account was logged off.](event-4634.md)
+####### [Event 4647 S: User initiated logoff.](event-4647.md)
###### [Audit Logon](audit-logon.md)
+####### [Event 4624 S: An account was successfully logged on.](event-4624.md)
+####### [Event 4625 F: An account failed to log on.](event-4625.md)
+####### [Event 4648 S: A logon was attempted using explicit credentials.](event-4648.md)
+####### [Event 4675 S: SIDs were filtered.](event-4675.md)
###### [Audit Network Policy Server](audit-network-policy-server.md)
###### [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+####### [Event 4649 S: A replay attack was detected.](event-4649.md)
+####### [Event 4778 S: A session was reconnected to a Window Station.](event-4778.md)
+####### [Event 4779 S: A session was disconnected from a Window Station.](event-4779.md)
+####### [Event 4800 S: The workstation was locked.](event-4800.md)
+####### [Event 4801 S: The workstation was unlocked.](event-4801.md)
+####### [Event 4802 S: The screen saver was invoked.](event-4802.md)
+####### [Event 4803 S: The screen saver was dismissed.](event-4803.md)
+####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](event-5378.md)
+####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](event-5632.md)
+####### [Event 5633 S, F: A request was made to authenticate to a wired network.](event-5633.md)
###### [Audit Special Logon](audit-special-logon.md)
+####### [Event 4964 S: Special groups have been assigned to a new logon.](event-4964.md)
+####### [Event 4672 S: Special privileges assigned to new logon.](event-4672.md)
###### [Audit Application Generated](audit-application-generated.md)
###### [Audit Certification Services](audit-certification-services.md)
-###### [Audit Detailed File Share ](audit-detailed-file-share.md)
+###### [Audit Detailed File Share](audit-detailed-file-share.md)
+####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](event-5145.md)
###### [Audit File Share](audit-file-share.md)
+####### [Event 5140 S, F: A network share object was accessed.](event-5140.md)
+####### [Event 5142 S: A network share object was added.](event-5142.md)
+####### [Event 5143 S: A network share object was modified.](event-5143.md)
+####### [Event 5144 S: A network share object was deleted.](event-5144.md)
+####### [Event 5168 F: SPN check for SMB/SMB2 failed.](event-5168.md)
###### [Audit File System](audit-file-system.md)
+####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
+####### [Event 4660 S: An object was deleted.](event-4660.md)
+####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
+####### [Event 4664 S: An attempt was made to create a hard link.](event-4664.md)
+####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
+####### [Event 5051: A file was virtualized.](event-5051.md)
+####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
###### [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-###### [Audit Filtering Platform Packet Drop ](audit-filtering-platform-packet-drop.md)
+####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](event-5031.md)
+####### [Event 5150: The Windows Filtering Platform blocked a packet.](event-5150.md)
+####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5151.md)
+####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](event-5154.md)
+####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](event-5155.md)
+####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](event-5156.md)
+####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](event-5157.md)
+####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](event-5158.md)
+####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](event-5159.md)
+###### [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](event-5152.md)
+####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5153.md)
###### [Audit Handle Manipulation](audit-handle-manipulation.md)
-###### [Audit Kernel Object ](audit-kernel-object.md)
+####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](event-4690.md)
+###### [Audit Kernel Object](audit-kernel-object.md)
+####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
+####### [Event 4660 S: An object was deleted.](event-4660.md)
+####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
###### [Audit Other Object Access Events](audit-other-object-access-events.md)
+####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](event-4671.md)
+####### [Event 4691 S: Indirect access to an object was requested.](event-4691.md)
+####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](event-5148.md)
+####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](event-5149.md)
+####### [Event 4698 S: A scheduled task was created.](event-4698.md)
+####### [Event 4699 S: A scheduled task was deleted.](event-4699.md)
+####### [Event 4700 S: A scheduled task was enabled.](event-4700.md)
+####### [Event 4701 S: A scheduled task was disabled.](event-4701.md)
+####### [Event 4702 S: A scheduled task was updated.](event-4702.md)
+####### [Event 5888 S: An object in the COM+ Catalog was modified.](event-5888.md)
+####### [Event 5889 S: An object was deleted from the COM+ Catalog.](event-5889.md)
+####### [Event 5890 S: An object was added to the COM+ Catalog.](event-5890.md)
###### [Audit Registry](audit-registry.md)
+####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
+####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
+####### [Event 4660 S: An object was deleted.](event-4660.md)
+####### [Event 4657 S: A registry value was modified.](event-4657.md)
+####### [Event 5039: A registry key was virtualized.](event-5039.md)
+####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
###### [Audit Removable Storage](audit-removable-storage.md)
-###### [Audit SAM ](audit-sam.md)
+###### [Audit SAM](audit-sam.md)
+####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
###### [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
+####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](event-4818.md)
###### [Audit Audit Policy Change](audit-audit-policy-change.md)
+####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
+####### [Event 4715 S: The audit policy, SACL, on an object was changed.](event-4715.md)
+####### [Event 4719 S: System audit policy was changed.](event-4719.md)
+####### [Event 4817 S: Auditing settings on object were changed.](event-4817.md)
+####### [Event 4902 S: The Per-user audit policy table was created.](event-4902.md)
+####### [Event 4906 S: The CrashOnAuditFail value has changed.](event-4906.md)
+####### [Event 4907 S: Auditing settings on object were changed.](event-4907.md)
+####### [Event 4908 S: Special Groups Logon table modified.](event-4908.md)
+####### [Event 4912 S: Per User Audit Policy was changed.](event-4912.md)
+####### [Event 4904 S: An attempt was made to register a security event source.](event-4904.md)
+####### [Event 4905 S: An attempt was made to unregister a security event source.](event-4905.md)
###### [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+####### [Event 4706 S: A new trust was created to a domain.](event-4706.md)
+####### [Event 4707 S: A trust to a domain was removed.](event-4707.md)
+####### [Event 4716 S: Trusted domain information was modified.](event-4716.md)
+####### [Event 4713 S: Kerberos policy was changed.](event-4713.md)
+####### [Event 4717 S: System security access was granted to an account.](event-4717.md)
+####### [Event 4718 S: System security access was removed from an account.](event-4718.md)
+####### [Event 4739 S: Domain Policy was changed.](event-4739.md)
+####### [Event 4864 S: A namespace collision was detected.](event-4864.md)
+####### [Event 4865 S: A trusted forest information entry was added.](event-4865.md)
+####### [Event 4866 S: A trusted forest information entry was removed.](event-4866.md)
+####### [Event 4867 S: A trusted forest information entry was modified.](event-4867.md)
###### [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+####### [Event 4703 S: A user right was adjusted.](event-4703.md)
+####### [Event 4704 S: A user right was assigned.](event-4704.md)
+####### [Event 4705 S: A user right was removed.](event-4705.md)
+####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
+####### [Event 4911 S: Resource attributes of the object were changed.](event-4911.md)
+####### [Event 4913 S: Central Access Policy on the object was changed.](event-4913.md)
###### [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
###### [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+####### [Event 4944 S: The following policy was active when the Windows Firewall started.](event-4944.md)
+####### [Event 4945 S: A rule was listed when the Windows Firewall started.](event-4945.md)
+####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](event-4946.md)
+####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](event-4947.md)
+####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](event-4948.md)
+####### [Event 4949 S: Windows Firewall settings were restored to the default values.](event-4949.md)
+####### [Event 4950 S: A Windows Firewall setting has changed.](event-4950.md)
+####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](event-4951.md)
+####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](event-4952.md)
+####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](event-4953.md)
+####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](event-4954.md)
+####### [Event 4956 S: Windows Firewall has changed the active profile.](event-4956.md)
+####### [Event 4957 F: Windows Firewall did not apply the following rule.](event-4957.md)
+####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](event-4958.md)
###### [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-###### [Audit Sensitive Privilege Use ](audit-sensitive-privilege-use.md)
-###### [Audit Non-Sensitive Privilege Use ](audit-non-sensitive-privilege-use.md)
-###### [Audit Other Privilege Use Events ](audit-other-privilege-use-events.md)
+####### [Event 4714 S: Encrypted data recovery policy was changed.](event-4714.md)
+####### [Event 4819 S: Central Access Policies on the machine have been changed.](event-4819.md)
+####### [Event 4826 S: Boot Configuration Data loaded.](event-4826.md)
+####### [Event 4909: The local policy settings for the TBS were changed.](event-4909.md)
+####### [Event 4910: The group policy settings for the TBS were changed.](event-4910.md)
+####### [Event 5063 S, F: A cryptographic provider operation was attempted.](event-5063.md)
+####### [Event 5064 S, F: A cryptographic context operation was attempted.](event-5064.md)
+####### [Event 5065 S, F: A cryptographic context modification was attempted.](event-5065.md)
+####### [Event 5066 S, F: A cryptographic function operation was attempted.](event-5066.md)
+####### [Event 5067 S, F: A cryptographic function modification was attempted.](event-5067.md)
+####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](event-5068.md)
+####### [Event 5069 S, F: A cryptographic function property operation was attempted.](event-5069.md)
+####### [Event 5070 S, F: A cryptographic function property modification was attempted.](event-5070.md)
+####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](event-5447.md)
+####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](event-6144.md)
+####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](event-6145.md)
+###### [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
+####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
+####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
+####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
+###### [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
+####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
+####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
+###### [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
+####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
###### [Audit IPsec Driver](audit-ipsec-driver.md)
###### [Audit Other System Events](audit-other-system-events.md)
+####### [Event 5024 S: The Windows Firewall Service has started successfully.](event-5024.md)
+####### [Event 5025 S: The Windows Firewall Service has been stopped.](event-5025.md)
+####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](event-5027.md)
+####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](event-5028.md)
+####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](event-5029.md)
+####### [Event 5030 F: The Windows Firewall Service failed to start.](event-5030.md)
+####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](event-5032.md)
+####### [Event 5033 S: The Windows Firewall Driver has started successfully.](event-5033.md)
+####### [Event 5034 S: The Windows Firewall Driver was stopped.](event-5034.md)
+####### [Event 5035 F: The Windows Firewall Driver failed to start.](event-5035.md)
+####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](event-5037.md)
+####### [Event 5058 S, F: Key file operation.](event-5058.md)
+####### [Event 5059 S, F: Key migration operation.](event-5059.md)
+####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](event-6400.md)
+####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](event-6401.md)
+####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](event-6402.md)
+####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](event-6403.md)
+####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](event-6404.md)
+####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](event-6405.md)
+####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](event-6406.md)
+####### [Event 6407: 1%.](event-6407.md)
+####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](event-6408.md)
+####### [Event 6409: BranchCache: A service connection point object could not be parsed.](event-6409.md)
###### [Audit Security State Change](audit-security-state-change.md)
+####### [Event 4608 S: Windows is starting up.](event-4608.md)
+####### [Event 4616 S: The system time was changed.](event-4616.md)
+####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](event-4621.md)
###### [Audit Security System Extension](audit-security-system-extension.md)
+####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](event-4610.md)
+####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](event-4611.md)
+####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](event-4614.md)
+####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](event-4622.md)
+####### [Event 4697 S: A service was installed in the system.](event-4697.md)
###### [Audit System Integrity](audit-system-integrity.md)
+####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](event-4612.md)
+####### [Event 4615 S: Invalid use of LPC port.](event-4615.md)
+####### [Event 4618 S: A monitored security event pattern has occurred.](event-4618.md)
+####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](event-4816.md)
+####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](event-5038.md)
+####### [Event 5056 S: A cryptographic self-test was performed.](event-5056.md)
+####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](event-5062.md)
+####### [Event 5057 F: A cryptographic primitive operation failed.](event-5057.md)
+####### [Event 5060 F: Verification operation failed.](event-5060.md)
+####### [Event 5061 S, F: Cryptographic operation.](event-5061.md)
+####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](event-6281.md)
+####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](event-6410.md)
+###### [Other Events](other-events.md)
+####### [Event 1100 S: The event logging service has shut down.](event-1100.md)
+####### [Event 1102 S: The audit log was cleared.](event-1102.md)
+####### [Event 1104 S: The security log is now full.](event-1104.md)
+####### [Event 1105 S: Event log automatic backup.](event-1105.md)
+####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](event-1108.md)
+###### [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
###### [Registry (Global Object Access Auditing) ](registry-global-object-access-auditing.md)
###### [File System (Global Object Access Auditing) ](file-system-global-object-access-auditing.md)
### [Security policy settings](security-policy-settings.md)
@@ -429,6 +692,115 @@
#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
+#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
+#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+#### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+#### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md)
+##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+##### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+###### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
+###### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
+###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
+###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-devices.md)
+##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+###### [Basic Firewall Policy Design](basic-firewall-policy-design.md)
+###### [Domain Isolation Policy Design](domain-isolation-policy-design.md)
+###### [Server Isolation Policy Design](server-isolation-policy-design.md)
+###### [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
+##### [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+###### [Firewall Policy Design Example](firewall-policy-design-example.md)
+###### [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
+###### [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
+###### [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
+##### [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+###### [Gathering the Information You Need](gathering-the-information-you-need.md)
+####### [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
+####### [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
+####### [Gathering Information about Your Computers](gathering-information-about-your-devices.md)
+####### [Gathering Other Relevant Information](gathering-other-relevant-information.md)
+###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
+##### [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+###### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
+###### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
+####### [Exemption List](exemption-list.md)
+####### [Isolated Domain](isolated-domain.md)
+####### [Boundary Zone](boundary-zone.md)
+####### [Encryption Zone](encryption-zone.md)
+###### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
+###### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+###### [Documenting the Zones](documenting-the-zones.md)
+###### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+####### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
+####### [Planning Network Access Groups](planning-network-access-groups.md)
+####### [Planning the GPOs](planning-the-gpos.md)
+######## [Firewall GPOs](firewall-gpos.md)
+######### [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
+######## [Isolated Domain GPOs](isolated-domain-gpos.md)
+######### [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
+######### [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
+######## [Boundary Zone GPOs](boundary-zone-gpos.md)
+######### [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
+######## [Encryption Zone GPOs](encryption-zone-gpos.md)
+######### [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
+######## [Server Isolation GPOs](server-isolation-gpos.md)
+####### [Planning GPO Deployment](planning-gpo-deployment.md)
+##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+#### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
+##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md)
+##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+##### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
+##### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
+###### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
+###### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
+###### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
+##### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+###### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
+###### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
+###### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
+###### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
+##### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
+###### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+###### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+##### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
+##### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
+###### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
+###### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
+###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
+###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
+###### [Configure Authentication Methods](configure-authentication-methods.md)
+###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
+###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
+###### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
+###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
+###### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
+###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+###### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
+###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
+###### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
+###### [Create a Group Policy Object](create-a-group-policy-object.md)
+###### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
+###### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
+###### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
+###### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
+###### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
+###### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
+###### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
+###### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
+###### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
+###### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
+###### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
+###### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
+###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
+###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+###### [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
+###### [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
+###### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+###### [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
+###### [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
+###### [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
+###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
## [Enterprise security guides](windows-10-enterprise-security-guides.md)
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
### [Device Guard deployment guide](device-guard-deployment-guide.md)
diff --git a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md
index f6f7140989..ff24a84d8c 100644
--- a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md
@@ -2,7 +2,7 @@
title: Access Credential Manager as a trusted caller (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Access Credential Manager as a trusted caller security policy setting.
ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/keep-secure/access-this-computer-from-the-network.md
index 00a88b6ba8..1cb598fcfd 100644
--- a/windows/keep-secure/access-this-computer-from-the-network.md
+++ b/windows/keep-secure/access-this-computer-from-the-network.md
@@ -2,7 +2,7 @@
title: Access this computer from the network (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/account-lockout-duration.md b/windows/keep-secure/account-lockout-duration.md
index 9b8fd5a9f4..1d438057a4 100644
--- a/windows/keep-secure/account-lockout-duration.md
+++ b/windows/keep-secure/account-lockout-duration.md
@@ -2,7 +2,7 @@
title: Account lockout duration (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting.
ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/account-lockout-policy.md b/windows/keep-secure/account-lockout-policy.md
index edf3c1a723..6a13c989d3 100644
--- a/windows/keep-secure/account-lockout-policy.md
+++ b/windows/keep-secure/account-lockout-policy.md
@@ -2,7 +2,7 @@
title: Account Lockout Policy (Windows 10)
description: Describes the Account Lockout Policy settings and links to information about each policy setting.
ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/account-lockout-threshold.md b/windows/keep-secure/account-lockout-threshold.md
index 56fedf53b7..828a524fe0 100644
--- a/windows/keep-secure/account-lockout-threshold.md
+++ b/windows/keep-secure/account-lockout-threshold.md
@@ -2,7 +2,7 @@
title: Account lockout threshold (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting.
ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/account-policies.md b/windows/keep-secure/account-policies.md
index 487d575c7f..ca8fb5a3b4 100644
--- a/windows/keep-secure/account-policies.md
+++ b/windows/keep-secure/account-policies.md
@@ -2,7 +2,7 @@
title: Account Policies (Windows 10)
description: An overview of account policies in Windows and provides links to policy descriptions.
ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/accounts-administrator-account-status.md b/windows/keep-secure/accounts-administrator-account-status.md
index 6c992c3bcb..5a3cde966e 100644
--- a/windows/keep-secure/accounts-administrator-account-status.md
+++ b/windows/keep-secure/accounts-administrator-account-status.md
@@ -2,7 +2,7 @@
title: Accounts Administrator account status (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting.
ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/accounts-block-microsoft-accounts.md b/windows/keep-secure/accounts-block-microsoft-accounts.md
index a482a7a88c..cc479c5bc2 100644
--- a/windows/keep-secure/accounts-block-microsoft-accounts.md
+++ b/windows/keep-secure/accounts-block-microsoft-accounts.md
@@ -2,7 +2,7 @@
title: Accounts Block Microsoft accounts (Windows 10)
description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting.
ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/keep-secure/accounts-guest-account-status.md
index 2e66ee3ae1..f9054008ac 100644
--- a/windows/keep-secure/accounts-guest-account-status.md
+++ b/windows/keep-secure/accounts-guest-account-status.md
@@ -2,7 +2,7 @@
title: Accounts Guest account status (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index 9d8ddd27c9..eb700fe6ec 100644
--- a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -2,7 +2,7 @@
title: Accounts Limit local account use of blank passwords to console logon only (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Accounts Limit local account use of blank passwords to console logon only security policy setting.
ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/accounts-rename-administrator-account.md b/windows/keep-secure/accounts-rename-administrator-account.md
index 8873990424..5c79c1d38b 100644
--- a/windows/keep-secure/accounts-rename-administrator-account.md
+++ b/windows/keep-secure/accounts-rename-administrator-account.md
@@ -2,7 +2,7 @@
title: Accounts Rename administrator account (Windows 10)
description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/keep-secure/accounts-rename-guest-account.md
index f82b907968..aa06c480c3 100644
--- a/windows/keep-secure/accounts-rename-guest-account.md
+++ b/windows/keep-secure/accounts-rename-guest-account.md
@@ -2,7 +2,7 @@
title: Accounts Rename guest account (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/act-as-part-of-the-operating-system.md b/windows/keep-secure/act-as-part-of-the-operating-system.md
index 5d4a39d466..a35393e223 100644
--- a/windows/keep-secure/act-as-part-of-the-operating-system.md
+++ b/windows/keep-secure/act-as-part-of-the-operating-system.md
@@ -2,7 +2,7 @@
title: Act as part of the operating system (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting.
ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md
index 214bc1763d..8e62ff36b5 100644
--- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md
+++ b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md
@@ -2,7 +2,7 @@
title: AD DS schema extensions to support TPM backup (Windows 10)
description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
index 3f9700cfb4..eb028e5f03 100644
--- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
+++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
@@ -2,9 +2,10 @@
title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10)
description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker.
ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
-keywords: ["EDP", "Enterprise Data Protection", "protected apps", "protected app list"]
-ms.prod: W10
+keywords: EDP, Enterprise Data Protection, protected apps, protected app list
+ms.prod: w10
ms.mktglfcycl: explore
+ms.pagetype: security
ms.sitesec: library
author: eross-msft
---
diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
new file mode 100644
index 0000000000..fc07133c99
--- /dev/null
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -0,0 +1,83 @@
+---
+title: Add Production Devices to the Membership Group for a Zone (Windows 10)
+description: Add Production Devices to the Membership Group for a Zone
+ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Add Production Devices to the Membership Group for a Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+
+After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
+
+**Caution**
+For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode.
+
+
+
+The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
+
+Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
+
+In this topic:
+
+- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
+
+- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
+
+- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+
+## To add domain devices to the GPO membership group
+
+1. Open Active Directory Users and Computers.
+
+2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
+
+3. In the details pane, double-click the GPO membership group to which you want to add computers.
+
+4. Select the **Members** tab, and then click **Add**.
+
+5. Type **Domain Computers** in the text box, and then click **OK**.
+
+6. Click **OK** to close the group properties dialog box.
+
+After a computer is a member of the group, you can force a Group Policy refresh on the computer.
+
+## To refresh Group Policy on a device
+
+From an elevated command prompt, type the following:
+
+``` syntax
+gpupdate /target:computer /force
+```
+
+After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
+
+## To see which GPOs are applied to a device
+
+From an elevated command prompt, type the following:
+
+``` syntax
+gpresult /r /scope:computer
+```
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index c05eb4ebd2..d99dda899b 100644
--- a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -2,7 +2,7 @@
title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10)
description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
new file mode 100644
index 0000000000..f5f2edf9d6
--- /dev/null
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -0,0 +1,77 @@
+---
+title: Add Test Devices to the Membership Group for a Zone (Windows 10)
+description: Add Test Devices to the Membership Group for a Zone
+ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Add Test Devices to the Membership Group for a Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
+
+Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
+
+In this topic:
+
+- [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
+
+- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
+
+- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+
+## To add test devices to the GPO membership groups
+
+1. Open Active Directory Users and Computers.
+
+2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account.
+
+3. In the details pane, double-click the GPO membership group to which you want to add devices.
+
+4. Select the **Members** tab, and then click **Add**.
+
+5. Type the name of the device in the text box, and then click **OK**.
+
+6. Repeat steps 5 and 6 for each additional device account or group that you want to add.
+
+7. Click **OK** to close the group properties dialog box.
+
+After a device is a member of the group, you can force a Group Policy refresh on the device.
+
+## To refresh Group Policy on a device
+
+From a elevated command prompt, run the following:
+
+``` syntax
+gpupdate /target:device /force
+```
+
+After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
+
+## To see which GPOs are applied to a device
+
+From an elevated command prompt, run the following:
+
+``` syntax
+gpresult /r /scope:computer
+```
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/keep-secure/add-workstations-to-domain.md
index 7cdeb90a8b..fac531b419 100644
--- a/windows/keep-secure/add-workstations-to-domain.md
+++ b/windows/keep-secure/add-workstations-to-domain.md
@@ -2,7 +2,7 @@
title: Add workstations to domain (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
index 604d4ba268..93d466aa32 100644
--- a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
@@ -3,8 +3,9 @@ title: Additional Windows Defender ATP configuration settings
description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature.
keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates,
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
+ms.pagetype: security
ms.sitesec: library
author: mjcaparas
---
diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/keep-secure/adjust-memory-quotas-for-a-process.md
index 4568ef9fe0..44fe866134 100644
--- a/windows/keep-secure/adjust-memory-quotas-for-a-process.md
+++ b/windows/keep-secure/adjust-memory-quotas-for-a-process.md
@@ -2,7 +2,7 @@
title: Adjust memory quotas for a process (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting.
ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/administer-applocker.md b/windows/keep-secure/administer-applocker.md
index 232b69b1ef..0940acac92 100644
--- a/windows/keep-secure/administer-applocker.md
+++ b/windows/keep-secure/administer-applocker.md
@@ -2,7 +2,7 @@
title: Administer AppLocker (Windows 10)
description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/keep-secure/administer-security-policy-settings.md
index 59bc1ce37f..de0baa4b22 100644
--- a/windows/keep-secure/administer-security-policy-settings.md
+++ b/windows/keep-secure/administer-security-policy-settings.md
@@ -2,7 +2,7 @@
title: Administer security policy settings (Windows 10)
description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
ms.assetid: 7617d885-9d28-437a-9371-171197407599
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md
index 5b5faf0b14..14ecaca52f 100644
--- a/windows/keep-secure/advanced-security-audit-policy-settings.md
+++ b/windows/keep-secure/advanced-security-audit-policy-settings.md
@@ -2,7 +2,7 @@
title: Advanced security audit policy settings (Windows 10)
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md
index eef52f8d63..3bfa640035 100644
--- a/windows/keep-secure/advanced-security-auditing-faq.md
+++ b/windows/keep-secure/advanced-security-auditing-faq.md
@@ -2,7 +2,7 @@
title: Advanced security auditing FAQ (Windows 10)
description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/advanced-security-auditing.md b/windows/keep-secure/advanced-security-auditing.md
index 5ed85a625d..bdec74db1c 100644
--- a/windows/keep-secure/advanced-security-auditing.md
+++ b/windows/keep-secure/advanced-security-auditing.md
@@ -2,7 +2,7 @@
title: Advanced security audit policies (Windows 10)
description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
index ee4ce0a4a9..46dddb36a1 100644
--- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: View and organize the Windows Defender ATP Alerts queue
description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md
index fdfa7ab402..3cbeacb088 100644
--- a/windows/keep-secure/allow-log-on-locally.md
+++ b/windows/keep-secure/allow-log-on-locally.md
@@ -2,7 +2,7 @@
title: Allow log on locally (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md
index cc51c9cbea..d409837c30 100644
--- a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md
+++ b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md
@@ -2,7 +2,7 @@
title: Allow log on through Remote Desktop Services (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
new file mode 100644
index 0000000000..f72093bb1e
--- /dev/null
+++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -0,0 +1,93 @@
+---
+title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
+description: Appendix A Sample GPO Template Files for Settings Used in this Guide
+ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Appendix A: Sample GPO Template Files for Settings Used in this Guide
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
+
+To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there.
+
+To import an .xml file to GPMC, drag it and drop it on the **Registry** node under **Computer Configuration**, **Preferences**, **Windows Settings**. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
+
+The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
+
+>**Note:** The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
diff --git a/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
new file mode 100644
index 0000000000..736833b790
--- /dev/null
+++ b/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -0,0 +1,29 @@
+---
+title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
+description: Appendix A, Security monitoring recommendations for many audit events
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# Appendix A: Security monitoring recommendations for many audit events
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the whitelist of accounts. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
diff --git a/windows/keep-secure/applocker-architecture-and-components.md b/windows/keep-secure/applocker-architecture-and-components.md
index 39e8bbf34c..98760516ec 100644
--- a/windows/keep-secure/applocker-architecture-and-components.md
+++ b/windows/keep-secure/applocker-architecture-and-components.md
@@ -2,7 +2,7 @@
title: AppLocker architecture and components (Windows 10)
description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/applocker-functions.md b/windows/keep-secure/applocker-functions.md
index d3ab5362dd..eaad056c7a 100644
--- a/windows/keep-secure/applocker-functions.md
+++ b/windows/keep-secure/applocker-functions.md
@@ -2,7 +2,7 @@
title: AppLocker functions (Windows 10)
description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md
index 6918af6f1e..954c093d80 100644
--- a/windows/keep-secure/applocker-overview.md
+++ b/windows/keep-secure/applocker-overview.md
@@ -2,7 +2,7 @@
title: AppLocker (Windows 10)
description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/applocker-policies-deployment-guide.md b/windows/keep-secure/applocker-policies-deployment-guide.md
index f0bce74c2a..2adc3ff79b 100644
--- a/windows/keep-secure/applocker-policies-deployment-guide.md
+++ b/windows/keep-secure/applocker-policies-deployment-guide.md
@@ -2,7 +2,7 @@
title: AppLocker deployment guide (Windows 10)
description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/applocker-policies-design-guide.md b/windows/keep-secure/applocker-policies-design-guide.md
index 7954db3edb..2e331c4fb8 100644
--- a/windows/keep-secure/applocker-policies-design-guide.md
+++ b/windows/keep-secure/applocker-policies-design-guide.md
@@ -2,7 +2,7 @@
title: AppLocker design guide (Windows 10)
description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/applocker-policy-use-scenarios.md b/windows/keep-secure/applocker-policy-use-scenarios.md
index ce30809f52..64a8fd4db0 100644
--- a/windows/keep-secure/applocker-policy-use-scenarios.md
+++ b/windows/keep-secure/applocker-policy-use-scenarios.md
@@ -2,7 +2,7 @@
title: AppLocker policy use scenarios (Windows 10)
description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/applocker-processes-and-interactions.md b/windows/keep-secure/applocker-processes-and-interactions.md
index 0243055da8..5f07c7d07f 100644
--- a/windows/keep-secure/applocker-processes-and-interactions.md
+++ b/windows/keep-secure/applocker-processes-and-interactions.md
@@ -2,7 +2,7 @@
title: AppLocker processes and interactions (Windows 10)
description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/applocker-settings.md b/windows/keep-secure/applocker-settings.md
index 77509f8e43..7af2350b9d 100644
--- a/windows/keep-secure/applocker-settings.md
+++ b/windows/keep-secure/applocker-settings.md
@@ -2,7 +2,7 @@
title: AppLocker settings (Windows 10)
description: This topic for the IT professional lists the settings used by AppLocker.
ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/applocker-technical-reference.md b/windows/keep-secure/applocker-technical-reference.md
index 164a159782..1c797a1679 100644
--- a/windows/keep-secure/applocker-technical-reference.md
+++ b/windows/keep-secure/applocker-technical-reference.md
@@ -2,7 +2,7 @@
title: AppLocker technical reference (Windows 10)
description: This overview topic for IT professionals provides links to the topics in the technical reference.
ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md
index 5828778660..fd5dcf7155 100644
--- a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -2,7 +2,7 @@
title: Apply a basic audit policy on a file or folder (Windows 10)
description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
new file mode 100644
index 0000000000..f6dcdfddf4
--- /dev/null
+++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
@@ -0,0 +1,70 @@
+---
+title: Assign Security Group Filters to the GPO (Windows 10)
+description: Assign Security Group Filters to the GPO
+ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Assign Security Group Filters to the GPO
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
+
+>**Important:** This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
+
+
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.
+
+In this topic:
+
+- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo)
+
+- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo)
+
+## To allow members of a group to apply a GPO
+
+Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, find and then click the GPO that you want to modify.
+
+3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**.
+
+ >**Note:** You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
+
+4. Click **Add**.
+
+5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
+
+## To prevent members of a group from applying a GPO
+
+Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, find and then click the GPO that you want to modify.
+
+3. In the details pane, click the **Delegation** tab.
+
+4. Click **Advanced**.
+
+5. Under the **Group or user names** list, click **Add**.
+
+6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
+
+7. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**.
+
+8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
+
+9. The group appears in the list with **Custom** permissions.
diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md
index 6c7ebbb0e2..5aa153c7ac 100644
--- a/windows/keep-secure/audit-account-lockout.md
+++ b/windows/keep-secure/audit-account-lockout.md
@@ -2,35 +2,37 @@
title: Audit Account Lockout (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Account Lockout
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Account Lockout**, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
+
+Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
Account lockout events are essential for understanding user activity and detecting potential attacks.
-Event volume: Low
+**Event volume**: Low.
-Default setting: Success
+This subcategory failure logon attempts, when account was already locked out.
-| Event ID | Event message |
-| - | - |
-| 4625 | An account failed to log on. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
+| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
+| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
+
+**Events List:**
+
+- [4625](event-4625.md)(F): An account failed to log on.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md
index f7c31ca13a..fa461c2535 100644
--- a/windows/keep-secure/audit-application-generated.md
+++ b/windows/keep-secure/audit-application-generated.md
@@ -2,39 +2,37 @@
title: Audit Application Generated (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Application Generated
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Application Generated**, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
-The following events can generate audit activity:
+Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx).
-- Creation, deletion, or initialization of an application client context
-- Application operations
+Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
-Applications that are designed to use the Windows Auditing APIs can use this subcategory to log auditing events that are related to those APIs. The level, volume, relevance, and importance of these audit events depend on the application that generates them. The operating system logs the events as they are generated by the application.
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
+| Member Server | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
+| Workstation | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
-Event volume: Depends on the installed app's use of the Windows Auditing APIs
+**Events List:**
-Default: Not configured
+## 4665: An attempt was made to create an application client context.
-| Event ID | Event message |
-| - | - |
-| 4665 | An attempt was made to create an application client context. |
-| 4666 | An application attempted an operation: |
-| 4667 | An application client context was deleted. |
-
-## Related topics
+## 4666: An application attempted an operation.
+
+## 4667: An application client context was deleted.
+
+## 4668: An application was initialized.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md
index 3055b72f6d..7991c5a92d 100644
--- a/windows/keep-secure/audit-application-group-management.md
+++ b/windows/keep-secure/audit-application-group-management.md
@@ -2,42 +2,49 @@
title: Audit Application Group Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Application Group Management
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Application Group Management**, which determines whether the operating system generates audit events when application group management tasks are performed.
-Application group management tasks include:
+Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions.
-- An application group is created, changed, or deleted.
-- A member is added to or removed from an application group.
+[Application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx).
-Event volume: Low
+Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
+| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
+| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
+| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
-| Event ID | Event message |
-| - | - |
-| 4783 | A basic application group was created. |
-| 4784 | A basic application group was changed. |
-| 4785 | A member was added to a basic application group. |
-| 4786 | A member was removed from a basic application group. |
-| 4787 | A non-member was added to a basic application group. |
-| 4788 | A non-member was removed from a basic application group. |
-| 4789 | A basic application group was deleted. |
-| 4790 | An LDAP query group was created. |
-
-## Related topics
+## 4783(S): A basic application group was created.
+
+## 4784(S): A basic application group was changed.
+
+## 4785(S): A member was added to a basic application group.
+
+## 4786(S): A member was removed from a basic application group.
+
+## 4787(S): A non-member was added to a basic application group.
+
+## 4788(S): A non-member was removed from a basic application group.
+
+## 4789(S): A basic application group was deleted.
+
+## 4790(S): An LDAP query group was created.
+
+## 4791(S): An LDAP query group was changed.
+
+## 4792(S): An LDAP query group was deleted.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md
index 65b7d6261e..3baaef2ff0 100644
--- a/windows/keep-secure/audit-audit-policy-change.md
+++ b/windows/keep-secure/audit-audit-policy-change.md
@@ -2,54 +2,79 @@
title: Audit Audit Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Audit Policy Change
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Audit Policy Change**, which determines whether the operating system generates audit events when changes are made to audit policy.
+
+Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.
+
+**Event volume**: Low.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Changes to audit policy that are audited include:
-- Changing permissions and audit settings on the audit policy object (by using **auditpol /set /sd**).
-- Changing the system audit policy.
-- Registering and unregistering security event sources.
-- Changing per-user audit settings.
-- Changing the value of **CrashOnAuditFail**.
-- Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key).
+- Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command).
+
+- Changing the system audit policy.
+
+- Registering and unregistering security event sources.
+
+- Changing per-user audit settings.
+
+- Changing the value of CrashOnAuditFail.
+
+- Changing audit settings on an object (for example, modifying the system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) for a file or registry key).
+
+> **Note** [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
- > **Note:** SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
-
- Changing anything in the Special Groups list.
-> **Important:** Changes to the audit policy are critical security events.
-
-Event volume: Low
+The following events will be enabled with Success auditing in this subcategory:
-Default: Success
+- 4902(S): The Per-user audit policy table was created.
-| Event ID | Event message |
-| - | - |
-| 4715 | The audit policy (SACL) on an object was changed. |
-| 4719 | System audit policy was changed. |
-| 4817 | Auditing settings on an object were changed. **Note: ** This event is logged only on computers running the supported versions of the Windows operating system. |
-| 4902 | The Per-user audit policy table was created. |
-| 4904 | An attempt was made to register a security event source. |
-| 4905 | An attempt was made to unregister a security event source. |
-| 4906 | The CrashOnAuditFail value has changed. |
-| 4907 | Auditing settings on object were changed. |
-| 4908 | Special Groups Logon table modified. |
-| 4912 | Per User Audit Policy was changed. |
-
-## Related topics
+- 4907(S): Auditing settings on object were changed.
+
+- 4904(S): An attempt was made to register a security event source.
+
+- 4905(S): An attempt was made to unregister a security event source.
+
+All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
+
+**Events List:**
+
+- [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed.
+
+- [4719](event-4719.md)(S): System audit policy was changed.
+
+- [4817](event-4817.md)(S): Auditing settings on object were changed.
+
+- [4902](event-4902.md)(S): The Per-user audit policy table was created.
+
+- [4906](event-4906.md)(S): The CrashOnAuditFail value has changed.
+
+- [4907](event-4907.md)(S): Auditing settings on object were changed.
+
+- [4908](event-4908.md)(S): Special Groups Logon table modified.
+
+- [4912](event-4912.md)(S): Per User Audit Policy was changed.
+
+- [4904](event-4904.md)(S): An attempt was made to register a security event source.
+
+- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
index 767ec7c30a..9fcecc87b1 100644
--- a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
@@ -2,7 +2,7 @@
title: Audit Audit the access of global system objects (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting.
ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
index 49b518da5a..3bd9ddd1b8 100644
--- a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -2,7 +2,7 @@
title: Audit Audit the use of Backup and Restore privilege (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting.
ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md
index e26a96a284..3096a5187c 100644
--- a/windows/keep-secure/audit-authentication-policy-change.md
+++ b/windows/keep-secure/audit-authentication-policy-change.md
@@ -2,55 +2,75 @@
title: Audit Authentication Policy Change (Windows 10)
description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Authentication Policy Change
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes this Advanced Security Audit policy setting, **Audit Authentication Policy Change**, which determines whether the operating system generates audit events when changes are made to authentication policy.
+
+Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
Changes made to authentication policy include:
- Creation, modification, and removal of forest and domain trusts.
-- Changes to Kerberos policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
- > **Note:** The audit event is logged when the policy is applied, not when settings are modified by the administrator.
-
-- When any of the following user rights is granted to a user or group:
- - **Access this computer from the network**
- - **Allow logon locally**
- - **Allow logon through Remote Desktop**
- - **Logon as a batch job**
- - **Logon as a service**
+- Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy.
+
+- When any of the following user logon rights is granted to a user or group:
+
+ - Access this computer from the network
+
+ - Allow logon locally
+
+ - Allow logon through Remote Desktop
+
+ - Logon as a batch job
+
+ - Logon as a service
+
- Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
-Event volume: Low
+**Event volume**: Low.
-Default: Success
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4670](event-4670.md)(S): Permissions on an object were changed
+
+- [4706](event-4706.md)(S): A new trust was created to a domain.
+
+- [4707](event-4707.md)(S): A trust to a domain was removed.
+
+- [4716](event-4716.md)(S): Trusted domain information was modified.
+
+- [4713](event-4713.md)(S): Kerberos policy was changed.
+
+- [4717](event-4717.md)(S): System security access was granted to an account.
+
+- [4718](event-4718.md)(S): System security access was removed from an account.
+
+- [4739](event-4739.md)(S): Domain Policy was changed.
+
+- [4864](event-4864.md)(S): A namespace collision was detected.
+
+- [4865](event-4865.md)(S): A trusted forest information entry was added.
+
+- [4866](event-4866.md)(S): A trusted forest information entry was removed.
+
+- [4867](event-4867.md)(S): A trusted forest information entry was modified.
-| Event ID | Event message |
-| - | - |
-| 4713 | Kerberos policy was changed. |
-| 4716 | Trusted domain information was modified. |
-| 4717 | System security access was granted to an account. |
-| 4718 | System security access was removed from an account. |
-| 4739 | Domain Policy was changed. |
-| 4864 | A namespace collision was detected. |
-| 4865 | A trusted forest information entry was added. |
-| 4866 | A trusted forest information entry was removed. |
-| 4867 | A trusted forest information entry was modified. |
-
-## Related topics
-
- - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md
index 3bff0a5dd9..bb16d06124 100644
--- a/windows/keep-secure/audit-authorization-policy-change.md
+++ b/windows/keep-secure/audit-authorization-policy-change.md
@@ -2,39 +2,41 @@
title: Audit Authorization Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Authorization Policy Change
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Authorization Policy Change**, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
-Authorization policy changes that can be audited include:
+Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
-- Assigning or removing user rights (privileges) such as **SeCreateTokenPrivilege**, except for the system access rights that are audited by using the [Audit Authentication Policy Change](audit-authentication-policy-change.md) subcategory.
-- Changing the Encrypting File System (EFS) policy.
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies. Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies. Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies. Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-Event volume: Very high
+**Events List:**
-Default: Not configured
+- [4703](event-4703.md)(S): A user right was adjusted.
-| Event ID | Event message |
-| - | - |
-| 4704 | A user right was assigned. |
-| 4705 | A user right was removed. |
-| 4706 | A new trust was created to a domain. |
-| 4707 | A trust to a domain was removed. |
-| 4714 | Encrypted data recovery policy was changed. |
-
-## Related topics
+- [4704](event-4704.md)(S): A user right was assigned.
+
+- [4705](event-4705.md)(S): A user right was removed.
+
+- [4670](event-4670.md)(S): Permissions on an object were changed.
+
+- [4911](event-4911.md)(S): Resource attributes of the object were changed.
+
+- [4913](event-4913.md)(S): Central Access Policy on the object was changed.
+
+**Event volume**: Medium.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md
index e53abd2a09..d2c7077220 100644
--- a/windows/keep-secure/audit-central-access-policy-staging.md
+++ b/windows/keep-secure/audit-central-access-policy-staging.md
@@ -2,30 +2,39 @@
title: Audit Central Access Policy Staging (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy.
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Central Access Policy Staging
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Central Access Policy Staging**, which determines permissions on a Central Access Policy.
-Event volume: Medium
+Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object.
-Default: Not configured
+If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows:
-| Event ID | Event message |
-| - | - |
-| 4818 | Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy |
-
-## Related topics
+- Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access.
+
+- Failure audits, when configured, record access attempts when:
+
+ - The current central access policy does not grant access, but the proposed policy grants access.
+
+ - A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx). This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx). This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx). This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md
index f23bdde027..c41330e98c 100644
--- a/windows/keep-secure/audit-certification-services.md
+++ b/windows/keep-secure/audit-certification-services.md
@@ -1,77 +1,118 @@
---
title: Audit Certification Services (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed.
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Certification Services
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Certification Services**, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
-Examples of AD CS operations include:
+Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
+
+Examples of AD CS operations include:
+
+- AD CS starts, shuts down, is backed up, or is restored.
-- AD CS starts, shuts down, is backed up, or is restored.
- Certificate revocation list (CRL)-related tasks are performed.
+
- Certificates are requested, issued, or revoked.
-- Certificate manager settings for AD CS are changed.
+
+- Certificate manager settings for AD CS are changed.
+
- The configuration and properties of the certification authority (CA) are changed.
-- AD CS templates are modified.
+
+- AD CS templates are modified.
+
- Certificates are imported.
+
- A CA certificate is published to Active Directory Domain Services.
+
- Security permissions for AD CS role services are modified.
+
- Keys are archived, imported, or retrieved.
+
- The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
-Event volume: Low to medium on servers that host AD CS role services
+**Event volume: Low to medium on servers that provide AD CS role services.**
-Default: Not configured
+Role-specific subcategories are outside the scope of this document.
-| Event ID | Event message |
-| - | - |
-| 4868 | The certificate manager denied a pending certificate request. |
-| 4869 | Certificate Services received a resubmitted certificate request. |
-| 4870 | Certificate Services revoked a certificate. |
-| 4871 | Certificate Services received a request to publish the certificate revocation list (CRL). |
-| 4872 | Certificate Services published the certificate revocation list (CRL). |
-| 4873 | A certificate request extension changed. |
-| 4874 | One or more certificate request attributes changed. |
-| 4875 | Certificate Services received a request to shut down. |
-| 4876 | Certificate Services backup started. |
-| 4877 | Certificate Services backup completed. |
-| 4878 | Certificate Services restore started. |
-| 4879 | Certificate Services restore completed. |
-| 4880 | Certificate Services started. |
-| 4881 | Certificate Services stopped. |
-| 4882 | The security permissions for Certificate Services changed. |
-| 4883 | Certificate Services retrieved an archived key. |
-| 4884 | Certificate Services imported a certificate into its database. |
-| 4885 | The audit filter for Certificate Services changed. |
-| 4886 | Certificate Services received a certificate request. |
-| 4887 | Certificate Services approved a certificate request and issued a certificate. |
-| 4888 | Certificate Services denied a certificate request. |
-| 4889 | Certificate Services set the status of a certificate request to pending. |
-| 4890 | The certificate manager settings for Certificate Services changed. |
-| 4891 | A configuration entry changed in Certificate Services. |
-| 4892 | A property of Certificate Services changed. |
-| 4893 | Certificate Services archived a key. |
-| 4894 | Certificate Services imported and archived a key. |
-| 4895 | Certificate Services published the CA certificate to Active Directory Domain Services. |
-| 4896 | One or more rows have been deleted from the certificate database. |
-| 4897 | Role separation enabled: |
-| 4898 | Certificate Services loaded a template. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
+| Member Server | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
+| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. |
+
+## 4868: The certificate manager denied a pending certificate request.
+
+## 4869: Certificate Services received a resubmitted certificate request.
+
+## 4870: Certificate Services revoked a certificate.
+
+## 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
+
+## 4872: Certificate Services published the certificate revocation list (CRL).
+
+## 4873: A certificate request extension changed.
+
+## 4874: One or more certificate request attributes changed.
+
+## 4875: Certificate Services received a request to shut down.
+
+## 4876: Certificate Services backup started.
+
+## 4877: Certificate Services backup completed.
+
+## 4878: Certificate Services restore started.
+
+## 4879: Certificate Services restore completed.
+
+## 4880: Certificate Services started.
+
+## 4881: Certificate Services stopped.
+
+## 4882: The security permissions for Certificate Services changed.
+
+## 4883: Certificate Services retrieved an archived key.
+
+## 4884: Certificate Services imported a certificate into its database.
+
+## 4885: The audit filter for Certificate Services changed.
+
+## 4886: Certificate Services received a certificate request.
+
+## 4887: Certificate Services approved a certificate request and issued a certificate.
+
+## 4888: Certificate Services denied a certificate request.
+
+## 4889: Certificate Services set the status of a certificate request to pending.
+
+## 4890: The certificate manager settings for Certificate Services changed.
+
+## 4891: A configuration entry changed in Certificate Services.
+
+## 4892: A property of Certificate Services changed.
+
+## 4893: Certificate Services archived a key.
+
+## 4894: Certificate Services imported and archived a key.
+
+## 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
+
+## 4896: One or more rows have been deleted from the certificate database.
+
+## 4897: Role separation enabled.
+
+## 4898: Certificate Services loaded a template.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md
index 5211936625..c127ebd500 100644
--- a/windows/keep-secure/audit-computer-account-management.md
+++ b/windows/keep-secure/audit-computer-account-management.md
@@ -2,34 +2,39 @@
title: Audit Computer Account Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Computer Account Management
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Computer Account Management**, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
+
+Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
-Event volume: Low
+**Event volume**: Low on domain controllers.
-Default: Not configured
+This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
-| Event ID | Event message |
-| - | - |
-| 4741 | A computer account was created. |
-| 4742 | A computer account was changed. |
-| 4743 | A computer account was deleted. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted. Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken. Typically volume of these events is low on domain controllers. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
+| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
+
+**Events List:**
+
+- [4741](event-4741.md)(S): A computer account was created.
+
+- [4742](event-4742.md)(S): A computer account was changed.
+
+- [4743](event-4743.md)(S): A computer account was deleted.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md
index 7f4232806f..5e54e23875 100644
--- a/windows/keep-secure/audit-credential-validation.md
+++ b/windows/keep-secure/audit-credential-validation.md
@@ -2,42 +2,51 @@
title: Audit Credential Validation (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Credential Validation
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Credential Validation**, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
+
+Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
- For domain accounts, the domain controller is authoritative.
+
- For local accounts, the local computer is authoritative.
-Event volume: High on domain controllers
+**Event volume**:
-Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they
-may occur in conjunction with or on separate computers from Logon and Logoff events.
+- High on domain controllers.
-Default: Not configured
+- Low on member servers and workstations.
-| Event ID | Event message |
-| - | - |
-| 4774 | An account was mapped for logon. |
-| 4775 | An account could not be mapped for logon. |
-| 4776 | The domain controller attempted to validate the credentials for an account. |
-| 4777 | The domain controller failed to validate the credentials for an account. |
-
-## Related topics
+Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
+
+The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | Yes | Yes | Yes | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication. IF – We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative. We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. |
+| Member Server | Yes | Yes | Yes | Yes | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often. We recommend Success auditing, to keep track of authentication events by local accounts. We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
+| Workstation | Yes | Yes | Yes | Yes | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often. We recommend Success auditing, to keep track of authentication events by local accounts. We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
+
+**Events List:**
+
+- [4774](event-4774.md)(S): An account was mapped for logon.
+
+- [4775](event-4775.md)(F): An account could not be mapped for logon.
+
+- [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account.
+
+- [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-detailed-directory-service-replication.md b/windows/keep-secure/audit-detailed-directory-service-replication.md
index ae2e46a570..19aef271fa 100644
--- a/windows/keep-secure/audit-detailed-directory-service-replication.md
+++ b/windows/keep-secure/audit-detailed-directory-service-replication.md
@@ -3,38 +3,46 @@ title: Audit Detailed Directory Service Replication (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: brianlic-msft
+author: Mir0sh
---
# Audit Detailed Directory Service Replication
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Detailed Directory Service Replication**, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
+
+Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
This audit subcategory can be useful to diagnose replication issues.
-Event volume: These events can create a very high volume of event data.
+**Event volume**: These events can create a very high volume of event data on domain controllers.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. |
+| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
+| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
-| Event ID | Event message |
-| - | - |
-| 4928 | An Active Directory replica source naming context was established. |
-| 4929 | An Active Directory replica source naming context was removed. |
-| 4930 | An Active Directory replica source naming context was modified. |
-| 4931 | An Active Directory replica destination naming context was modified. |
-| 4934 | Attributes of an Active Directory object were replicated. |
-| 4935 | Replication failure begins. |
-| 4936 | Replication failure ends. |
-| 4937 | A lingering object was removed from a replica. |
-
-## Related topics
+**Events List:**
+
+- [4928](event-4928.md)(S, F): An Active Directory replica source naming context was established.
+
+- [4929](event-4929.md)(S, F): An Active Directory replica source naming context was removed.
+
+- [4930](event-4930.md)(S, F): An Active Directory replica source naming context was modified.
+
+- [4931](event-4931.md)(S, F): An Active Directory replica destination naming context was modified.
+
+- [4934](event-4934.md)(S): Attributes of an Active Directory object were replicated.
+
+- [4935](event-4935.md)(F): Replication failure begins.
+
+- [4936](event-4936.md)(S): Replication failure ends.
+
+- [4937](event-4937.md)(S): A lingering object was removed from a replica.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md
index f60e4dd5f2..436399addb 100644
--- a/windows/keep-secure/audit-detailed-file-share.md
+++ b/windows/keep-secure/audit-detailed-file-share.md
@@ -2,33 +2,41 @@
title: Audit Detailed File Share (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Detailed File Share
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Detailed File Share**, which allows you to audit attempts to access files and folders on a shared folder.
-The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
-> **Note:** There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
-
-Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy
+Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
-Default: Not configured
+The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
-| Event ID | Event message |
-| - | - |
-| 5145 | A network share object was checked to see whether the client can be granted desired access. |
-
-## Related topics
+There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
+
+**Event volume**:
+
+- High on file servers.
+
+- High on domain controllers because of SYSVOL network access required by Group Policy.
+
+- Low on member servers and workstations.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share. We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. |
+| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address. The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
+| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address. The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
+
+**Events List:**
+
+- [5145](event-5145.md)(S, F): A network share object was checked to see whether client can be granted desired access.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md
index 230dce9a69..039b10f684 100644
--- a/windows/keep-secure/audit-directory-service-access.md
+++ b/windows/keep-secure/audit-directory-service-access.md
@@ -1,34 +1,36 @@
---
title: Audit Directory Service Access (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed.
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Directory Service Access
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Access**, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
-These events are similar to the Directory Service Access events in previous versions of the Windows Server operating systems.
-> **Important:** Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings.
-
-Event volume: High on servers running AD DS role services; none on client computers
+Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
-Default: Not configured
+**Event volume**: High on servers running AD DS role services.
-| Event ID | Event message |
-| - | - |
-| 4662 | An operation was performed on an object. |
-
-## Related topics
+This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. |
+| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
+| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
+
+**Events List:**
+
+- [4662](event-4662.md)(S, F): An operation was performed on an object.
+
+- [4661](event-4661.md)(S, F): A handle to an object was requested.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md
index 361827a614..67d519f452 100644
--- a/windows/keep-secure/audit-directory-service-changes.md
+++ b/windows/keep-secure/audit-directory-service-changes.md
@@ -1,49 +1,48 @@
---
title: Audit Directory Service Changes (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS).
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Directory Service Changes
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Changes**, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
-The types of changes that are reported are:
+Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
-- Create
-- Delete
-- Modify
-- Move
-- Undelete
+Auditing of directory service objects can provide information about the old and new properties of the objects that were changed.
-Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.
+Audit events are generated only for objects with configured system access control lists ([SACLs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)), and only when they are accessed in a manner that matches their [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
-> **Important:** Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
-
-This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track in order to understand the state of the network policy.
+This subcategory only logs events on domain controllers.
-Event volume: High on domain controllers; none on client computers
+**Event volume**: High on domain controllers.
-Default: Not configured
+This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted.
-| Event ID | Event message |
-| - | - |
-| 5136 | A directory service object was modified. |
-| 5137 | A directory service object was created. |
-| 5138 | A directory service object was undeleted. |
-| 5139 | A directory service object was moved. |
-| 5141 | A directory service object was deleted. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects. This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
+| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
+
+**Events List:**
+
+- [5136](event-5136.md)(S): A directory service object was modified.
+
+- [5137](event-5137.md)(S): A directory service object was created.
+
+- [5138](event-5138.md)(S): A directory service object was undeleted.
+
+- [5139](event-5139.md)(S): A directory service object was moved.
+
+- [5141](event-5141.md)(S): A directory service object was deleted.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md
index 9f09abada9..de877d1d2d 100644
--- a/windows/keep-secure/audit-directory-service-replication.md
+++ b/windows/keep-secure/audit-directory-service-replication.md
@@ -2,31 +2,33 @@
title: Audit Directory Service Replication (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Directory Service Replication
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Replication**, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
-Event volume: Medium on domain controllers; none on client computers
+Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
-Default: Not configured
+**Event volume**: Medium on domain controllers.
-| Event ID | Event Message |
-| - | - |
-| 4932 | Synchronization of a replica of an Active Directory naming context has begun. |
-| 4933 | Synchronization of a replica of an Active Directory naming context has ended. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. |
+| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
+| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
+
+**Events List:**
+
+- [4932](event-4932.md)(S): Synchronization of a replica of an Active Directory naming context has begun.
+
+- [4933](event-4933.md)(S, F): Synchronization of a replica of an Active Directory naming context has ended.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md
index 1e259424ed..b140fd81cc 100644
--- a/windows/keep-secure/audit-distribution-group-management.md
+++ b/windows/keep-secure/audit-distribution-group-management.md
@@ -2,51 +2,69 @@
title: Audit Distribution Group Management (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks.
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Distribution Group Management
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Distribution Group Management**, which determines whether the operating system generates audit events for specific distribution-group management tasks.
-Tasks for distribution-group management that can be audited include:
+Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
-- A distribution group is created, changed, or deleted.
-- A member is added to or removed from a distribution group.
+This subcategory generates events only on domain controllers.
-This subcategory to which this policy belongs is logged only on domain controllers.
-> **Note:** Distribution groups cannot be used to manage access control permissions.
-
-Event volume: Low
+**Event volume**: Low on domain controllers.
-Default: Not configured
+This subcategory allows you to audit events generated by changes to distribution groups such as the following:
-| Event ID | Event message |
-| - | - |
-| 4744 | A security-disabled local group was created. |
-| 4745 | A security-disabled local group was changed. |
-| 4746 | A member was added to a security-disabled local group. |
-| 4747 | A member was removed from a security-disabled local group. |
-| 4748 | A security-disabled local group was deleted. |
-| 4749 | A security-disabled global group was created. |
-| 4750 | A security-disabled global group was changed. |
-| 4751 | A member was added to a security-disabled global group. |
-| 4752 | A member was removed from a security-disabled global group. |
-| 4753 | A security-disabled global group was deleted. |
-| 4759 | A security-disabled universal group was created. |
-| 4760 | A security-disabled universal group was changed. |
-| 4761 | A member was added to a security-disabled universal group. |
-| 4762 | A member was removed from a security-disabled universal group. |
+- Distribution group is created, changed, or deleted.
- ## Related topics
+- Member is added or removed from a distribution group.
+
+If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | No | IF | No | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing. Typically volume of these events is low on domain controllers. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
+| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
+
+**Events List:**
+
+- [4749](event-4749.md)(S): A security-disabled global group was created.
+
+- [4750](event-4750.md)(S): A security-disabled global group was changed.
+
+- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
+
+- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
+
+- [4753](event-4753.md)(S): A security-disabled global group was deleted.
+
+**4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md
index 1e7c77ac71..a17a929770 100644
--- a/windows/keep-secure/audit-dpapi-activity.md
+++ b/windows/keep-secure/audit-dpapi-activity.md
@@ -2,37 +2,37 @@
title: Audit DPAPI Activity (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit DPAPI Activity
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit DPAPI Activity**, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
-DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see [Windows Data Protection](http://go.microsoft.com/fwlink/p/?linkid=121720) (http://go.microsoft.com/fwlink/p/?linkid=121720).
-Event volume: Low
+Audit [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx)).
-Default: Not configured
+**Event volume**: Low.
-If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
+| Member Server | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
+| Workstation | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
-| Event ID | Event message |
-| - | - |
-| 4692 | Backup of data protection master key was attempted. |
-| 4693 | Recovery of data protection master key was attempted. |
-| 4694 | Protection of auditable protected data was attempted. |
-| 4695 | Unprotection of auditable protected data was attempted. |
-
-## Related resource
+**Events List:**
+
+- [4692](event-4692.md)(S, F): Backup of data protection master key was attempted.
+
+- [4693](event-4693.md)(S, F): Recovery of data protection master key was attempted.
+
+- [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted.
+
+- [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted.
-- [Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md
index 8040bc118a..05c490cf67 100644
--- a/windows/keep-secure/audit-file-share.md
+++ b/windows/keep-secure/audit-file-share.md
@@ -2,39 +2,49 @@
title: Audit File Share (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit File Share
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File Share**, which determines whether the operating system generates audit events when a file share is accessed.
-Audit events are not generated when shares are created, deleted, or when share permissions change.
-> **Note:** There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
-
+Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks.
+
+There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
+
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.
-Event volume: High on a file server or domain controller (due to SYSVOL access by client computers for policy processing)
+**Event volume**:
-Default: Not configured
+- High on file servers.
-| Event ID | Event message |
-| - |- |
-| 5140 | A network share object was accessed. **Note:** This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. |
-| 5142 | A network share object was added. |
-| 5143 | A network share object was modified. |
-| 5144 | A network share object was deleted. |
-| 5168 | SPN check for SMB/SMB2 failed. |
-
-## Related topics
+- High on domain controllers because of SYSVOL network access required by Group Policy.
+
+- Low on member servers and workstations.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing for domain controllers, because it’s important to track deletion, creation, and modification events for network shares. We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
+| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification, and access attempts to network share objects. We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
+| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification and access attempts to network share objects. We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
+
+**Events List:**
+
+- [5140](event-5140.md)(S, F): A network share object was accessed.
+
+- [5142](event-5142.md)(S): A network share object was added.
+
+- [5143](event-5143.md)(S): A network share object was modified.
+
+- [5144](event-5144.md)(S): A network share object was deleted.
+
+- [5168](event-5168.md)(F): SPN check for SMB/SMB2 failed.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md
index 53faccfac6..ea941fc892 100644
--- a/windows/keep-secure/audit-file-system.md
+++ b/windows/keep-secure/audit-file-system.md
@@ -2,39 +2,57 @@
title: Audit File System (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
-ms.prod: W10
-ms.mktglfcycl: deploy
ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
ms.sitesec: library
-author: brianlic-msft
+author: Mir0sh
---
# Audit File System
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
+
+
+Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
+
+Audit events are generated only for objects that have configured system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File System**, which determines whether the operating system generates audit events when users attempt to access file system objects.
-Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
-Event volume: Varies, depending on how file system SACLs are configured
+**Event volume**: Varies, depending on how file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s are configured.
-No audit events are generated for the default file system SACLs.
+No audit events are generated for the default file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s.
-Default: Not configured
+This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions.
-| Event ID | Event message |
-| - | - |
-| 4664 | An attempt was made to create a hard link. |
-| 4985 | The state of a transaction has changed. |
-| 5051 | A file was virtualized. |
-
-## Related topics
+Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information. Failure events can show you unsuccessful attempts to access specific file system objects. Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. |
+| Member Server | IF | IF | IF | IF | |
+| Workstation | IF | IF | IF | IF | |
+
+**Events List:**
+
+- [4656](event-4656.md)(S, F): A handle to an object was requested.
+
+- [4658](event-4658.md)(S): The handle to an object was closed.
+
+- [4660](event-4660.md)(S): An object was deleted.
+
+- [4663](event-4663.md)(S): An attempt was made to access an object.
+
+- [4664](event-4664.md)(S): An attempt was made to create a hard link.
+
+- [4985](event-4985.md)(S): The state of a transaction has changed.
+
+- [5051](event-5051.md)(-): A file was virtualized.
+
+- [4670](event-4670.md)(S): Permissions on an object were changed.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md
index a23961c6d9..96d8bbd8c3 100644
--- a/windows/keep-secure/audit-filtering-platform-connection.md
+++ b/windows/keep-secure/audit-filtering-platform-connection.md
@@ -2,48 +2,51 @@
title: Audit Filtering Platform Connection (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Filtering Platform Connection
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Connection**, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
+
+Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-This security policy enables you to audit the following types of actions:
+This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications.
-- The Windows Firewall service blocks an application from accepting incoming connections on the network.
-- The Windows Filtering Platform allows or blocks a connection.
-- The Windows Filtering Platform permits or blocks a bind to a local port.
-- The Windows Filtering Platform permits or blocks an application or service from listening for incoming connections on a port.
+**Event volume**: High.
-Event volume: High
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
+| Member Server | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
+| Workstation | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
-Default: Not configured
+**Events List:**
-| Event ID | Event message |
-| - | - |
-| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
-| 5140 | A network share object was accessed. |
-| 5150 | The Windows Filtering Platform blocked a packet. |
-| 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet. |
-| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
-| 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
-| 5156 | The Windows Filtering Platform has allowed a connection. |
-| 5157 | The Windows Filtering Platform has blocked a connection. |
-| 5158 | The Windows Filtering Platform has permitted a bind to a local port. |
-| 5159 | The Windows Filtering Platform has blocked a bind to a local port. |
-
-## Related topics
+- [5031](event-5031.md)(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
+
+- [5150](event-5150.md)(-): The Windows Filtering Platform blocked a packet.
+
+- [5151](event-5151.md)(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
+
+- [5154](event-5154.md)(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+
+- [5155](event-5155.md)(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+
+- [5156](event-5156.md)(S): The Windows Filtering Platform has permitted a connection.
+
+- [5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection.
+
+- [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port.
+
+- [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md
index fda5bc89e7..093fd674de 100644
--- a/windows/keep-secure/audit-filtering-platform-packet-drop.md
+++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md
@@ -2,35 +2,37 @@
title: Audit Filtering Platform Packet Drop (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Filtering Platform Packet Drop
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Packet Drop**, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
+
+Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network.
+A high rate of dropped packets *may* indicate that there have been attempts to gain unauthorized access to computers on your network.
-Event volume: High
+**Event volume**: High.
-Default setting: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet. There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
+| Member Server | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet. There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
+| Workstation | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet. There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
-| Event ID | Event message |
-| - | - |
-| 5152 | The Windows Filtering Platform blocked a packet. |
-| 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. |
-
-## Related topics
+**Events List:**
+
+- [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet.
+
+- [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md
index 97f04007ea..ec8d3374dd 100644
--- a/windows/keep-secure/audit-filtering-platform-policy-change.md
+++ b/windows/keep-secure/audit-filtering-platform-policy-change.md
@@ -2,224 +2,117 @@
title: Audit Filtering Platform Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Filtering Platform Policy Change
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Policy Change**, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
+
+Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:
+
+- IPsec services status.
+
+- Changes to IPsec policy settings.
+
+- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
+
+- Changes to WFP providers and engine.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-This security policy setting determines whether the operating system generates audit events for:
+This subcategory is outside the scope of this document.
-- IPsec services status.
-- Changes to IPsec settings.
-- Status and changes to the Windows Filtering Platform engine and providers.
-- IPsec Policy Agent service activities.
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
+| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
+| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
+| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
-Event volume: Low
+## 4709(S): IPsec Services was started.
-Default: Not configured
+## 4710(S): IPsec Services was disabled.
-
-
-
-
-
-
-
-
Event ID
-
Event message
-
-
-
-
-
4709
-
IPsec Services was started.
-
-
-
4710
-
IPsec Services was disabled.
-
-
-
4711
-
May contain any one of the following:
-
-
PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
-
PAStore Engine applied Active Directory storage IPsec policy on the computer.
-
PAStore Engine applied local registry storage IPsec policy on the computer.
-
PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
-
PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
-
PAStore Engine failed to apply local registry storage IPsec policy on the computer.
-
PAStore Engine failed to apply some rules of the active IPsec policy on the computer.
-
PAStore Engine failed to load directory storage IPsec policy on the computer.
-
PAStore Engine loaded directory storage IPsec policy on the computer.
-
PAStore Engine failed to load local storage IPsec policy on the computer.
-
PAStore Engine loaded local storage IPsec policy on the computer.
-
PAStore Engine polled for changes to the active IPsec policy and detected no changes.
-
-
-
-
4712
-
IPsec Services encountered a potentially serious failure.
-
-
-
5040
-
A change has been made to IPsec settings. An Authentication Set was added.
-
-
-
5041
-
A change has been made to IPsec settings. An Authentication Set was modified.
-
-
-
5042
-
A change has been made to IPsec settings. An Authentication Set was deleted.
-
-
-
5043
-
A change has been made to IPsec settings. A Connection Security Rule was added.
-
-
-
5044
-
A change has been made to IPsec settings. A Connection Security Rule was modified.
-
-
-
5045
-
A change has been made to IPsec settings. A Connection Security Rule was deleted.
-
-
-
5046
-
A change has been made to IPsec settings. A Crypto Set was added.
-
-
-
5047
-
A change has been made to IPsec settings. A Crypto Set was modified.
-
-
-
5048
-
A change has been made to IPsec settings. A Crypto Set was deleted.
-
-
-
5440
-
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
-
-
-
5441
-
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
-
-
-
5442
-
The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
-
-
-
5443
-
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
-
-
-
5444
-
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
-
-
-
5446
-
A Windows Filtering Platform callout has been changed.
-
-
-
5448
-
A Windows Filtering Platform provider has been changed.
-
-
-
5449
-
A Windows Filtering Platform provider context has been changed.
-
-
-
5450
-
A Windows Filtering Platform sub-layer has been changed.
-
-
-
5456
-
PAStore Engine applied Active Directory storage IPsec policy on the computer.
-
-
-
5457
-
PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
-
-
-
5458
-
PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
-
-
-
5459
-
PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
-
-
-
5460
-
PAStore Engine applied local registry storage IPsec policy on the computer.
-
-
-
5461
-
PAStore Engine failed to apply local registry storage IPsec policy on the computer.
-
-
-
5462
-
PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
-
-
-
5463
-
PAStore Engine polled for changes to the active IPsec policy and detected no changes.
-
-
-
5464
-
PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
-
-
-
5465
-
PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
-
-
-
5466
-
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
-
-
-
5467
-
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
-
-
-
5468
-
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
-
-
-
5471
-
PAStore Engine loaded local storage IPsec policy on the computer.
-
-
-
5472
-
PAStore Engine failed to load local storage IPsec policy on the computer.
-
-
-
5473
-
PAStore Engine loaded directory storage IPsec policy on the computer.
-
-
-
5474
-
PAStore Engine failed to load directory storage IPsec policy on the computer.
-
-
-
5477
-
PAStore Engine failed to add quick mode filter.
-
-
-
-
-## Related topics
+## 4711(S): May contain any one of the following:
+
+## 4712(F): IPsec Services encountered a potentially serious failure.
+
+## 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
+
+## 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
+
+## 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
+
+## 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
+
+## 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
+
+## 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
+
+## 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
+
+## 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
+
+## 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
+
+## 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
+
+## 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
+
+## 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
+
+## 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
+
+## 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
+
+## 5446(S): A Windows Filtering Platform callout has been changed.
+
+## 5448(S): A Windows Filtering Platform provider has been changed.
+
+## 5449(S): A Windows Filtering Platform provider context has been changed.
+
+## 5450(S): A Windows Filtering Platform sub-layer has been changed.
+
+## 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
+
+## 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
+
+## 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
+
+## 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
+
+## 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
+
+## 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
+
+## 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
+
+## 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
+
+## 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
+
+## 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
+
+## 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
+
+## 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
+
+## 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
+
+## 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
+
+## 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
+
+## 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
+
+## 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
+
+## 5477(F): PAStore Engine failed to add quick mode filter.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md
index 2ceff2fa34..50880766f6 100644
--- a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -2,7 +2,7 @@
title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting.
ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md
index bfbd5e7887..f3424483bb 100644
--- a/windows/keep-secure/audit-group-membership.md
+++ b/windows/keep-secure/audit-group-membership.md
@@ -2,37 +2,43 @@
title: Audit Group Membership (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Group Membership
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Group Membership**, which enables you to audit group memberships when they are enumerated on the client PC.
+
+Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-> **Note:** You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**.
-
+
+You must also enable the [Audit Logon](audit-logon.md) subcategory.
+
Multiple events are generated if the group membership information cannot fit in a single security audit event
-Event volume: High
+**Event volume**:
-Default: Not configured
+- Low on a client computer.
-| Event ID | Event message |
-| - | - |
-| 4627 | Group membership information. |
-
-## Related topics
+- Medium on a domain controller or network servers.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4627](event-4627.md)(S): Group membership information.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md
index da8a48ee26..c1a20800e5 100644
--- a/windows/keep-secure/audit-handle-manipulation.md
+++ b/windows/keep-secure/audit-handle-manipulation.md
@@ -2,37 +2,37 @@
title: Audit Handle Manipulation (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Handle Manipulation
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
-Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL.
+Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions.
-> **Important:** Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).
-
+**Event volume**: High.
-Event volume: High, depending on how SACLs are configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze. There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
+| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze. There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
+| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze. There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
-Default: Not configured
+**Events List:**
-| Event ID | Event message |
-| - | - |
-| 4656 | A handle to an object was requested. |
-| 4658 | The handle to an object was closed. |
-| 4690 | An attempt was made to duplicate a handle to an object. |
-
-## Related topics
+- [4658](event-4658.md)(S): The handle to an object was closed.
+
+- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
+
+## 4658(S): The handle to an object was closed.
+
+This event doesn’t generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md
index 7394906faa..628d86b063 100644
--- a/windows/keep-secure/audit-ipsec-driver.md
+++ b/windows/keep-secure/audit-ipsec-driver.md
@@ -2,53 +2,65 @@
title: Audit IPsec Driver (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit IPsec Driver
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit IPsec Driver**, which determines whether the operating system generates audit events for the activities of the IPsec driver.
-The IPsec driver, using the IP Filter List from the active IPsec policy, watches for outbound IP packets that must be secured and inbound IP packets that must be verified and decrypted. This security policy setting reports on the following activities of the IPsec driver:
+Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
-- Startup and shutdown of IPsec services.
-- Packets dropped due to integrity-check failure.
-- Packets dropped due to replay-check failure.
-- Packets dropped due to being in plaintext.
-- Packets received with an incorrect Security Parameter Index (SPI). (This can indicate malfunctioning hardware or interoperability problems.)
-- Failure to process IPsec filters.
+- Startup and shutdown of the IPsec services.
+
+- Network packets dropped due to integrity check failure.
+
+- Network packets dropped due to replay check failure.
+
+- Network packets dropped due to being in plaintext.
+
+- Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated.
+
+- Inability to process IPsec filters.
A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
-Event volume: Medium
+This subcategory is outside the scope of this document.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
+| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
+| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
-| Event ID | Event message |
-| - | - |
-| 4960 | IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. |
-| 4961 | IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. |
-| 4962 | IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. |
-| 4963 | IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. |
-| 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. |
-| 5478 | IPsec Services has started successfully. |
-| 5479 | IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. |
-| 5480 | IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
-| 5483 | IPsec Services failed to initialize RPC server. IPsec Services could not be started. |
-| 5484 | IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. |
-| 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
-
-## Related topics
+## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
+
+## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
+
+## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
+
+## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
+
+## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
+
+## 5478(S): IPsec Services has started successfully.
+
+## 5479(): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
+
+## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
+
+## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
+
+## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
+
+## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md
index 89f0857940..83cc51ddc1 100644
--- a/windows/keep-secure/audit-ipsec-extended-mode.md
+++ b/windows/keep-secure/audit-ipsec-extended-mode.md
@@ -2,41 +2,41 @@
title: Audit IPsec Extended Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit IPsec Extended Mode
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Extended Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
-IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
+Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
-AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation.
-AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications.
+Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
-Event volume: High
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
+| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
+| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
-Default: Not configured
+## 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
-| Event ID | Event message |
-| - | - |
-| 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
-| 4979 | IPsec Main Mode and Extended Mode security associations were established. **Note:** This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information. |
-| 4980 | IPsec Main Mode and Extended Mode security associations were established. **Note:** This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information: |
-| 4981 | IPsec Main Mode and Extended Mode security associations were established. **Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information. |
-| 4982 | IPsec Main Mode and Extended Mode security associations were established. **Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information. |
-| 4983 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. **Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information. |
-| 4984 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. **Note:** This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |
-
-## Related topics
+## 4979: IPsec Main Mode and Extended Mode security associations were established.
+
+## 4980: IPsec Main Mode and Extended Mode security associations were established.
+
+## 4981: IPsec Main Mode and Extended Mode security associations were established.
+
+## 4982: IPsec Main Mode and Extended Mode security associations were established.
+
+## 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
+
+## 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md
index 203307a841..d06d0749d0 100644
--- a/windows/keep-secure/audit-ipsec-main-mode.md
+++ b/windows/keep-secure/audit-ipsec-main-mode.md
@@ -2,42 +2,45 @@
title: Audit IPsec Main Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit IPsec Main Mode
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Main Mode**, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
-IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
-AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
-Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities.
+Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
-Event volume: High
+Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
+| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
+| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
-| Event ID | Event message |
-| - | - |
-| 4646 | Security ID: %1 |
-| 4650 | An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. |
-| 4651 | An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. |
-| 4652 | An IPsec Main Mode negotiation failed. **Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information. |
-| 4653 | An IPsec Main Mode negotiation failed. **Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |
-| 4655 | An IPsec Main Mode security association ended. |
-| 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
-| 5049 | An IPsec Security Association was deleted. |
-| 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. |
-
-## Related topics
+## 4646: Security ID: %1
+
+## 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
+
+## 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
+
+## 4652: An IPsec Main Mode negotiation failed.
+
+## 4653: An IPsec Main Mode negotiation failed.
+
+## 4655: An IPsec Main Mode security association ended.
+
+## 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
+
+## 5049: An IPsec Security Association was deleted.
+
+## 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md
index 79de06ad17..6259aa5962 100644
--- a/windows/keep-secure/audit-ipsec-quick-mode.md
+++ b/windows/keep-secure/audit-ipsec-quick-mode.md
@@ -2,36 +2,33 @@
title: Audit IPsec Quick Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit IPsec Quick Mode
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Quick Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
-IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
-AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
-Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange.
+Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
-Event volume: High
+Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
+| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
+| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
-| Event ID | Event message |
-|- |- |
-| 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.|
-| 5451 | An IPsec Quick Mode security association was established.|
-| 5452 | An IPsec Quick Mode security association ended.|
-
-## Related topics
+## 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
+
+## 5451: An IPsec Quick Mode security association was established.
+
+## 5452: An IPsec Quick Mode security association ended.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md
index 85498b7404..0565b58eef 100644
--- a/windows/keep-secure/audit-kerberos-authentication-service.md
+++ b/windows/keep-secure/audit-kerberos-authentication-service.md
@@ -2,35 +2,39 @@
title: Audit Kerberos Authentication Service (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Kerberos Authentication Service
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Authentication Service**, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
+
+Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
-Event volume: High on Kerberos Key Distribution Center servers
+**Event volume**: High on Kerberos Key Distribution Center servers.
-Default: Not configured
+This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the user’s password has expired.
-| Event ID | Event message |
-| - | - |
-| 4768 | A Kerberos authentication ticket (TGT) was requested. |
-| 4771 | Kerberos preauthentication failed. |
-| 4772 | A Kerberos authentication ticket request failed. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on. We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts. Expected volume is high on domain controllers. |
+| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
+| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
+
+**Events List:**
+
+- [4768](event-4768.md)(S, F): A Kerberos authentication ticket (TGT) was requested.
+
+- [4771](event-4771.md)(F): Kerberos pre-authentication failed.
+
+- [4772](event-4772.md)(F): A Kerberos authentication ticket request failed.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md
index 5f00cf260a..5b9d7f1874 100644
--- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md
+++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md
@@ -2,37 +2,39 @@
title: Audit Kerberos Service Ticket Operations (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Kerberos Service Ticket Operations
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Service Ticket Operations**, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
+
+Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity.
-Event volume:
+**Event volume**: Very High on Kerberos Key Distribution Center servers.
-- High on a domain controller that is in a Key Distribution Center (KDC)
-- Low on domain members
+This subcategory contains events about issued TGSs and failed TGS requests.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.
IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
+| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
+| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
-| Event ID | Event message |
-| - | - |
-| 4769 | A Kerberos service ticket was requested. |
-| 4770 | A Kerberos service ticket was renewed. |
-
-## Related topics
+**Events List:**
+
+- [4769](event-4769.md)(S, F): A Kerberos service ticket was requested.
+
+- [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
+
+- [4773](event-4773.md)(F): A Kerberos service ticket request failed.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md
index 783f4c3e18..9815bc9a13 100644
--- a/windows/keep-secure/audit-kernel-object.md
+++ b/windows/keep-secure/audit-kernel-object.md
@@ -2,40 +2,45 @@
title: Audit Kernel Object (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Kernel Object
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kernel Object**, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
-Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers.
+Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
-Typically, kernel objects are given SACLs only if the **AuditBaseObjects** or **AuditBaseDirectories** auditing options are enabled.
+Only kernel objects with a matching system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) generate security audit events. The audits generated are usually useful only to developers.
-> **Note:** The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects.
-
-Event volume: High if you have enabled one of the Global Object Access Auditing settings
+Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
+
+The “[Audit: Audit the access of global system objects](https://technet.microsoft.com/en-us/library/jj852233.aspx)” policy setting controls the default SACL of kernel objects.
+
+**Event volume**: High.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
+| Member Server | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
+| Workstation | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
+
+**Events List:**
+
+- [4656](event-4656.md)(S, F): A handle to an object was requested.
+
+- [4658](event-4658.md)(S): The handle to an object was closed.
+
+- [4660](event-4660.md)(S): An object was deleted.
+
+- [4663](event-4663.md)(S): An attempt was made to access an object.
-Default setting: Not configured
-| Event ID | Event message |
-| - | - |
-| 4659 | A handle to an object was requested with intent to delete. |
-| 4660 | An object was deleted. |
-| 4661 | A handle to an object was requested. |
-| 4663 | An attempt was made to access an object. |
-
-## Related topics
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md
index 05aee8928a..152a1a0770 100644
--- a/windows/keep-secure/audit-logoff.md
+++ b/windows/keep-secure/audit-logoff.md
@@ -2,38 +2,41 @@
title: Audit Logoff (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Logoff
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logoff**, which determines whether the operating system generates audit events when logon sessions are terminated.
+
+Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
-> **Note: ** There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
-
+There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
+
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
-Event volume: Low
+**Event volume**: Low.
-Default: Success
+This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
-| Event ID | Event message |
-| - | - |
-| 4634 | An account was logged off. |
-| 4647 | User initiated logoff. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events. Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events. Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events. Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4634](event-4634.md)(S): An account was logged off.
+
+- [4647](event-4647.md)(S): User initiated logoff.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md
index fb98f6691c..99a4cb6528 100644
--- a/windows/keep-secure/audit-logon.md
+++ b/windows/keep-secure/audit-logon.md
@@ -2,44 +2,53 @@
title: Audit Logon (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Logon
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logon**, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
+
+Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed.
The following events are recorded:
- Logon success and failure.
-- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the Runas command.
+
+- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the **RunAs** command.
+
- Security identifiers (SIDs) are filtered.
Logon events are essential to tracking user activity and detecting potential attacks.
-Event volume: Low on a client computer; medium on a domain controller or network server
+**Event volume**:
-Default: Success for client computers; success and failure for servers
+- Low on a client computer.
-| Event ID | Event message |
-| - | - |
-| 4624 | An account was successfully logged on. |
-| 4625 | An account failed to log on. |
-| 4648 | A logon was attempted using explicit credentials. |
-| 4675 | SIDs were filtered. |
-
-## Related topics
+- Medium on a domain controllers or network servers.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine. Failure events will show you failed logon attempts and the reason why these attempts failed. |
+| Member Server | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine. Failure events will show you failed logon attempts and the reason why these attempts failed. |
+| Workstation | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine. Failure events will show you failed logon attempts and the reason why these attempts failed. |
+
+**Events List:**
+
+- [4624](event-4624.md)(S): An account was successfully logged on.
+
+- [4625](event-4625.md)(F): An account failed to log on.
+
+- [4648](event-4648.md)(S): A logon was attempted using explicit credentials.
+
+- [4675](event-4675.md)(S): SIDs were filtered.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
index 67760b944f..7ac4228370 100644
--- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
@@ -2,54 +2,73 @@
title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit MPSSVC Rule-Level Policy Change
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit MPSSVC Rule-Level Policy Change**, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
+
+Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include:
- Active policies when the Windows Firewall service starts.
+
- Changes to Windows Firewall rules.
+
- Changes to the Windows Firewall exception list.
+
- Changes to Windows Firewall settings.
+
- Rules ignored or not applied by the Windows Firewall service.
+
- Changes to Windows Firewall Group Policy settings.
Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
-Event volume: Low
+**Event volume**: Medium.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions. Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
+| Member Server | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions. Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
+| Workstation | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions. Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
-| Event ID | Event message |
-| - | - |
-| 4944 | The following policy was active when the Windows Firewall started. |
-| 4945 | A rule was listed when the Windows Firewall started. |
-| 4946 | A change has been made to Windows Firewall exception list. A rule was added. |
-| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. |
-| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. |
-| 4949 | Windows Firewall settings were restored to the default values. |
-| 4950 | A Windows Firewall setting has changed. |
-| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. |
-| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. |
-| 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. |
-| 4954 | Windows Firewall Group Policy settings have changed. The new settings have been applied. |
-| 4956 | Windows Firewall has changed the active profile. |
-| 4957 | Windows Firewall did not apply the following rule: |
-| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: |
-
-## Related topics
+**Events List:**
+
+- [4944](event-4944.md)(S): The following policy was active when the Windows Firewall started.
+
+- [4945](event-4945.md)(S): A rule was listed when the Windows Firewall started.
+
+- [4946](event-4946.md)(S): A change has been made to Windows Firewall exception list. A rule was added.
+
+- [4947](event-4947.md)(S): A change has been made to Windows Firewall exception list. A rule was modified.
+
+- [4948](event-4948.md)(S): A change has been made to Windows Firewall exception list. A rule was deleted.
+
+- [4949](event-4949.md)(S): Windows Firewall settings were restored to the default values.
+
+- [4950](event-4950.md)(S): A Windows Firewall setting has changed.
+
+- [4951](event-4951.md)(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
+
+- [4952](event-4952.md)(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
+
+- [4953](event-4953.md)(F): A rule has been ignored by Windows Firewall because it could not parse the rule.
+
+- [4954](event-4954.md)(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
+
+- [4956](event-4956.md)(S): Windows Firewall has changed the active profile.
+
+- [4957](event-4957.md)(F): Windows Firewall did not apply the following rule:
+
+- [4958](event-4958.md)(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md
index 5f060ff57e..f1cdad1e90 100644
--- a/windows/keep-secure/audit-network-policy-server.md
+++ b/windows/keep-secure/audit-network-policy-server.md
@@ -2,40 +2,53 @@
title: Audit Network Policy Server (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Network Policy Server
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Network Policy Server**, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
+
+Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
+
+If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
+
+This subcategory generates events only if NAS or IAS role is installed on the server.
NAP events can be used to help understand the overall health of the network.
-Event volume: Medium to high on servers that are running Network Policy Server (NPS); moderate on other servers or on client computers
+**Event volume**: Medium to High on servers that are running [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS).
-Default: Success and failure
+Role-specific subcategories are outside the scope of this document.
-| Event ID | Event message |
-| - | - |
-| 6272 | Network Policy Server granted access to a user. |
-| 6273 | Network Policy Server denied access to a user. |
-| 6274 | Network Policy Server discarded the request for a user. |
-| 6275 | Network Policy Server discarded the accounting request for a user. |
-| 6276 | Network Policy Server quarantined a user. |
-| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. |
-| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. |
-| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. |
-| 6280 | Network Policy Server unlocked the user account. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
+| Member Server | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
+| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
+
+## 6272: Network Policy Server granted access to a user.
+
+## 6273: Network Policy Server denied access to a user.
+
+## 6274: Network Policy Server discarded the request for a user.
+
+## 6275: Network Policy Server discarded the accounting request for a user.
+
+## 6276: Network Policy Server quarantined a user.
+
+## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
+
+## 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
+
+## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
+
+## 6280: Network Policy Server unlocked the user account.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md
index e1321ebc6a..ebc770c912 100644
--- a/windows/keep-secure/audit-non-sensitive-privilege-use.md
+++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md
@@ -1,68 +1,84 @@
---
-title: Audit Non-Sensitive Privilege Use (Windows 10)
+title: Audit Non Sensitive Privilege Use (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
-# Audit Non-Sensitive Privilege Use
+# Audit Non Sensitive Privilege Use
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Non-Sensitive Privilege Use**, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
-The following privileges are non-sensitive:
+Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
-- **Access Credential Manager as a trusted caller**
-- **Access this computer from the network**
-- **Add workstations to domain**
-- **Adjust memory quotas for a process**
-- **Allow log on locally**
-- **Allow log on through Terminal Services**
-- **Bypass traverse checking**
-- **Change the system time**
-- **Create a page file**
-- **Create global objects**
-- **Create permanent shared objects**
-- **Create symbolic links**
-- **Deny access to this computer from the network**
-- **Deny log on as a batch job**
-- **Deny log on as a service**
-- **Deny log on locally**
-- **Deny log on through Terminal Services**
-- **Force shutdown from a remote system**
-- **Increase a process working set**
-- **Increase scheduling priority**
-- **Lock pages in memory**
-- **Log on as a batch job**
-- **Log on as a service**
-- **Modify an object label**
-- **Perform volume maintenance tasks**
-- **Profile single process**
-- **Profile system performance**
-- **Remove computer from docking station**
-- **Shut down the system**
-- **Synchronize directory service data**
+- Access Credential Manager as a trusted caller
+
+- Add workstations to domain
+
+- Adjust memory quotas for a process
+
+- Bypass traverse checking
+
+- Change the system time
+
+- Change the time zone
+
+- Create a page file
+
+- Create global objects
+
+- Create permanent shared objects
+
+- Create symbolic links
+
+- Force shutdown from a remote system
+
+- Increase a process working set
+
+- Increase scheduling priority
+
+- Lock pages in memory
+
+- Modify an object label
+
+- Perform volume maintenance tasks
+
+- Profile single process
+
+- Profile system performance
+
+- Remove computer from docking station
+
+- Shut down the system
+
+- Synchronize directory service data
+
+This subcategory also contains informational events from filesystem Transaction Manager.
If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-Event volume: Very high
+**Event volume**: Very High.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory. IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
+| Member Server | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory. IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
+| Workstation | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory. IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
+
+**Events List:**
+
+- [4673](event-4673.md)(S, F): A privileged service was called.
+
+- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
+
+- [4985](event-4985.md)(S): The state of a transaction has changed.
-Default: Not configured
-| Event ID | Event message |
-| - | - |
-| 4672 | Special privileges assigned to new logon. |
-| 4673 | A privileged service was called. |
-| 4674 | An operation was attempted on a privileged object. |
-
-## Related topics
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md
index 57eaa771fa..194e56d11b 100644
--- a/windows/keep-secure/audit-other-account-logon-events.md
+++ b/windows/keep-secure/audit-other-account-logon-events.md
@@ -2,53 +2,27 @@
title: Audit Other Account Logon Events (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Other Account Logon Events
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Other Account Logon Events**, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
-Examples can include the following:
+**General Subcategory Information:**
-- Remote Desktop session disconnections
-- New Remote Desktop sessions
-- Locking and unlocking a workstation
-- Invoking a screen saver
-- Dismissing a screen saver
-- Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice
+This auditing subcategory does not contain any events. It is intended for future use.
- > **Note:** This condition could be caused by a network misconfiguration.
-
-- Access to a wireless network granted to a user or computer account
-- Access to a wired 802.1x network granted to a user or computer account
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
+| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
+| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
-Event volume: Varies, depending on system use
-
-Default: Not configured
-
-| Event ID | Event message |
-| - | - |
-| 4649 | A replay attack was detected. |
-| 4778 | A session was reconnected to a Window Station. |
-| 4779 | A session was disconnected from a Window Station. |
-| 4800 | The workstation was locked. |
-| 4801 | The workstation was unlocked. |
-| 4802 | The screen saver was invoked. |
-| 4803 | The screen saver was dismissed. |
-| 5378 | The requested credentials delegation was disallowed by policy. |
-| 5632 | A request was made to authenticate to a wireless network. |
-| 5633 | A request was made to authenticate to a wired network. |
-
-## Related topics
-
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md
index 737c91e478..20b82aa409 100644
--- a/windows/keep-secure/audit-other-account-management-events.md
+++ b/windows/keep-secure/audit-other-account-management-events.md
@@ -2,38 +2,39 @@
title: Audit Other Account Management Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Other Account Management Events
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Account Management Events**, which determines whether the operating system generates user account management audit events.
-Events can be generated for user account management auditing when:
+Audit Other Account Management Events determines whether the operating system generates user account management audit events.
-- The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data.
-- The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied.
-- Changes are made to domain policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** or **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**.
-> **Note:** These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.
-
-Event volume: Low
+**Event volume:** Typically Low on all types of computers.
-Default: Not configured
+This subcategory allows you to audit next events:
-| Event ID | Event message |
-| - | - |
-| 4782 | The password hash for an account was accessed. |
-| 4793 | The Password Policy Checking API was called. |
-
-## Related topics
+- The password hash of a user account was accessed. This happens during an Active Directory Management Tool password migration.
+
+- The Password Policy Checking API was called. Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.” This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4782](event-4782.md)(S): The password hash an account was accessed.
+
+- [4793](event-4793.md)(S): The Password Policy Checking API was called.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md
index 14b371601d..cceda79c69 100644
--- a/windows/keep-secure/audit-other-logonlogoff-events.md
+++ b/windows/keep-secure/audit-other-logonlogoff-events.md
@@ -2,50 +2,65 @@
title: Audit Other Logon/Logoff Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Other Logon/Logoff Events
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Logon/Logoff Events**, which determines whether Windows generates audit events for other logon or logoff events.
+
+Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
These other logon or logoff events include:
- A Remote Desktop session connects or disconnects.
+
- A workstation is locked or unlocked.
+
- A screen saver is invoked or dismissed.
+
- A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
-- A user is granted access to a wireless network. It can either be a user account or the computer account.
-- A user is granted access to a wired 802.1x network. It can either be a user account or the computer account.
+
+- A user is granted access to a wireless network. It can be either a user account or the computer account.
+
+- A user is granted access to a wired 802.1x network. It can be either a user account or the computer account.
Logon events are essential to understanding user activity and detecting potential attacks.
-Event volume: Low
+**Event volume**: Low.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low. Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
+| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low. Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
+| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low. Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
-| Event ID | Event message |
-| - | - |
-| 4649 | A replay attack was detected. |
-| 4778 | A session was reconnected to a Window Station. |
-| 4779 | A session was disconnected from a Window Station. |
-| 4800 | The workstation was locked. |
-| 4801 | The workstation was unlocked. |
-| 4802 | The screen saver was invoked. |
-| 4803 | The screen saver was dismissed. |
-| 5378 | The requested credentials delegation was disallowed by policy. |
-| 5632 | A request was made to authenticate to a wireless network. |
-| 5633 | A request was made to authenticate to a wired network. |
-
-## Related topics
+**Events List:**
+
+- [4649](event-4649.md)(S): A replay attack was detected.
+
+- [4778](event-4778.md)(S): A session was reconnected to a Window Station.
+
+- [4779](event-4779.md)(S): A session was disconnected from a Window Station.
+
+- [4800](event-4800.md)(S): The workstation was locked.
+
+- [4801](event-4801.md)(S): The workstation was unlocked.
+
+- [4802](event-4802.md)(S): The screen saver was invoked.
+
+- [4803](event-4803.md)(S): The screen saver was dismissed.
+
+- [5378](event-5378.md)(F): The requested credentials delegation was disallowed by policy.
+
+- [5632](event-5632.md)(S): A request was made to authenticate to a wireless network.
+
+- [5633](event-5633.md)(S): A request was made to authenticate to a wired network.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md
index 71b1ee1965..4501674589 100644
--- a/windows/keep-secure/audit-other-object-access-events.md
+++ b/windows/keep-secure/audit-other-object-access-events.md
@@ -2,55 +2,53 @@
title: Audit Other Object Access Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Other Object Access Events
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Object Access Events**, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
-For scheduler jobs, the following actions are audited:
+Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
-- Job created.
-- Job deleted.
-- Job enabled.
-- Job disabled.
-- Job updated.
+**Event volume**: Low.
-For COM+ objects, the following actions are audited:
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events. We recommend Failure auditing to get events about possible ICPM DoS attack. |
+| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events. We recommend Failure auditing to get events about possible ICPM DoS attack. |
+| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events. We recommend Failure auditing to get events about possible ICPM DoS attack. |
-- Catalog object added.
-- Catalog object updated.
-- Catalog object deleted.
+**Events List:**
-Event volume: Low
+- [4671](event-4671.md)(-): An application attempted to access a blocked ordinal through the TBS.
-Default: Not configured
+- [4691](event-4691.md)(S): Indirect access to an object was requested.
-| Event ID | Event message |
-| - | - |
-| 4671 | An application attempted to access a blocked ordinal through the TBS. |
-| 4691 | Indirect access to an object was requested. |
-| 4698 | A scheduled task was created. |
-| 4699 | A scheduled task was deleted. |
-| 4700 | A scheduled task was enabled. |
-| 4701 | A scheduled task was disabled. |
-| 4702 | A scheduled task was updated. |
-| 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. |
-| 5149 | The DoS attack has subsided and normal processing is being resumed. |
-| 5888 | An object in the COM+ Catalog was modified. |
-| 5889 | An object was deleted from the COM+ Catalog. |
-| 5890 | An object was added to the COM+ Catalog. |
-
-## Related topics
+- [5148](event-5148.md)(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
+
+- [5149](event-5149.md)(F): The DoS attack has subsided and normal processing is being resumed.
+
+- [4698](event-4698.md)(S): A scheduled task was created.
+
+- [4699](event-4699.md)(S): A scheduled task was deleted.
+
+- [4700](event-4700.md)(S): A scheduled task was enabled.
+
+- [4701](event-4701.md)(S): A scheduled task was disabled.
+
+- [4702](event-4702.md)(S): A scheduled task was updated.
+
+- [5888](event-5888.md)(S): An object in the COM+ Catalog was modified.
+
+- [5889](event-5889.md)(S): An object was deleted from the COM+ Catalog.
+
+- [5890](event-5890.md)(S): An object was added to the COM+ Catalog.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md
index 7e2c53404a..81cb8c52aa 100644
--- a/windows/keep-secure/audit-other-policy-change-events.md
+++ b/windows/keep-secure/audit-other-policy-change-events.md
@@ -2,50 +2,61 @@
title: Audit Other Policy Change Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Other Policy Change Events
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Policy Change Events**, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
-These other activities in the Policy Change category that can be audited include:
+Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
-- Trusted Platform Module (TPM) configuration changes.
-- Kernel-mode cryptographic self tests.
-- Cryptographic provider operations.
-- Cryptographic context operations or modifications.
+**Event volume**: Low.
-Event volume: Low
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies. We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
+| Member Server | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies. We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
+| Workstation | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies. We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
-Default: Not configured
+**Events List:**
-| Event ID | Event message |
-| - | - |
-| 4670 | Permissions on an object were changed. |
-| 4909 | The local policy settings for the TBS were changed. |
-| 4910 | The group policy settings for the TBS were changed. |
-| 5063 | A cryptographic provider operation was attempted. |
-| 5064 | A cryptographic context operation was attempted. |
-| 5065 | A cryptographic context modification was attempted. |
-| 5066 | A cryptographic function operation was attempted. |
-| 5067 | A cryptographic function modification was attempted. |
-| 5068 | A cryptographic function provider operation was attempted. |
-| 5069 | A cryptographic function property operation was attempted. |
-| 5070 | A cryptographic function property modification was attempted. |
-| 5447 | A Windows Filtering Platform filter has been changed. |
-| 6144 | Security policy in the group policy objects has been applied successfully. |
-| 6145 | One or more errors occurred while processing security policy in the group policy objects. |
-
-## Related topics
+- [4714](event-4714.md)(S): Encrypted data recovery policy was changed.
+
+- [4819](event-4819.md)(S): Central Access Policies on the machine have been changed.
+
+- [4826](event-4826.md)(S): Boot Configuration Data loaded.
+
+- [4909](event-4909.md)(-): The local policy settings for the TBS were changed.
+
+- [4910](event-4910.md)(-): The group policy settings for the TBS were changed.
+
+- [5063](event-5063.md)(S, F): A cryptographic provider operation was attempted.
+
+- [5064](event-5064.md)(S, F): A cryptographic context operation was attempted.
+
+- [5065](event-5065.md)(S, F): A cryptographic context modification was attempted.
+
+- [5066](event-5066.md)(S, F): A cryptographic function operation was attempted.
+
+- [5067](event-5067.md)(S, F): A cryptographic function modification was attempted.
+
+- [5068](event-5068.md)(S, F): A cryptographic function provider operation was attempted.
+
+- [5069](event-5069.md)(S, F): A cryptographic function property operation was attempted.
+
+- [5070](event-5070.md)(S, F): A cryptographic function property modification was attempted.
+
+- [5447](event-5447.md)(S): A Windows Filtering Platform filter has been changed.
+
+- [6144](event-6144.md)(S): Security policy in the group policy objects has been applied successfully.
+
+- [6145](event-6145.md)(F): One or more errors occurred while processing security policy in the group policy objects.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md
index 839251f763..a411c1b6b4 100644
--- a/windows/keep-secure/audit-other-privilege-use-events.md
+++ b/windows/keep-secure/audit-other-privilege-use-events.md
@@ -2,21 +2,31 @@
title: Audit Other Privilege Use Events (Windows 10)
description: This security policy setting is not used.
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Other Privilege Use Events
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
+
+
+This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
+| Domain Controller | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. |
+| Member Server | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. |
+| Workstation | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. |
+
+**Events List:**
+
+- [4985](event-4674.md)(S): The state of a transaction has changed.
+
-This security policy setting is not used.
-## Related topics
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md
index 2b28658209..91f62b06de 100644
--- a/windows/keep-secure/audit-other-system-events.md
+++ b/windows/keep-secure/audit-other-system-events.md
@@ -2,59 +2,87 @@
title: Audit Other System Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Other System Events
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other System Events**, which determines whether the operating system audits various system events.
+
+Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
+
+Audit Other System Events determines whether the operating system audits various system events.
The system events in this category include:
- Startup and shutdown of the Windows Firewall service and driver.
+
- Security policy processing by the Windows Firewall service.
+
- Cryptography key file and migration operations.
-> **Important:** Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats.
-
-Event volume: Low
+- BranchCache events.
-Default: Success and failure
+**Event volume**: Low.
-| Event ID | Event message |
-| - | - |
-| 5024 | The Windows Firewall Service has started successfully. |
-| 5025 | The Windows Firewall Service has been stopped. |
-| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. |
-| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. |
-| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. |
-| 5030 | The Windows Firewall Service failed to start. |
-| 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.|
-| 5033 | The Windows Firewall Driver has started successfully. |
-| 5034 | The Windows Firewall Driver has been stopped. |
-| 5035 | The Windows Firewall Driver failed to start. |
-| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating.|
-| 5058 | Key file operation. |
-| 5059 | Key migration operation.|
-| 6400 | BranchCache: Received an incorrectly formatted response while discovering availability of content.|
-| 6401 | BranchCache: Received invalid data from a peer. Data discarded. |
-| 6402 | BranchCache: The message to the hosted cache offering it data is incorrectly formatted.|
-| 6403 | BranchCache: The hosted cache sent an incorrectly formatted response to the client. |
-| 6404 | BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.|
-| 6405 | BranchCache: %2 instance(s) of event id %1 occurred. |
-| 6406 | %1 registered to Windows Firewall to control filtering for the following: %2|
-| 6407 | 1% |
-| 6408 | Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
+| Member Server | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
+| Workstation | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
+
+**Events List:**
+
+- [5024](event-5024.md)(S): The Windows Firewall Service has started successfully.
+
+- [5025](event-5025.md)(S): The Windows Firewall Service has been stopped.
+
+- [5027](event-5027.md)(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
+
+- [5028](event-5028.md)(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
+
+- [5029](event-5029.md)(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
+
+- [5030](event-5030.md)(F): The Windows Firewall Service failed to start.
+
+- [5032](event-5032.md)(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
+
+- [5033](event-5033.md)(S): The Windows Firewall Driver has started successfully.
+
+- [5034](event-5034.md)(S): The Windows Firewall Driver was stopped.
+
+- [5035](event-5035.md)(F): The Windows Firewall Driver failed to start.
+
+- [5037](event-5037.md)(F): The Windows Firewall Driver detected critical runtime error. Terminating.
+
+- [5058](event-5058.md)(S, F): Key file operation.
+
+- [5059](event-5059.md)(S, F): Key migration operation.
+
+- [6400](event-6400.md)(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
+
+- [6401](event-6401.md)(-): BranchCache: Received invalid data from a peer. Data discarded.
+
+- [6402](event-6402.md)(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
+
+- [6403](event-6403.md)(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
+
+- [6404](event-6404.md)(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
+
+- [6405](event-6405.md)(-): BranchCache: %2 instance(s) of event id %1 occurred.
+
+- [6406](event-6406.md)(-): %1 registered to Windows Firewall to control filtering for the following: %2
+
+- [6407](event-6407.md)(-): 1%
+
+- [6408](event-6408.md)(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2
+
+- [6409](event-6408.md)(-): BranchCache: A service connection point object could not be parsed.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md
index aef1c0ae47..bef34f8715 100644
--- a/windows/keep-secure/audit-pnp-activity.md
+++ b/windows/keep-secure/audit-pnp-activity.md
@@ -2,32 +2,45 @@
title: Audit PNP Activity (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit PNP Activity
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device.
-A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a PC a PnP event is triggered.
+Audit PNP Activity determines when Plug and Play detects an external device.
-Event volume: Varies, depending on how the computer is used
+A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
-Default: Not configured
+**Event volume**: Varies, depending on how the computer is used. Typically Low.
-| Event ID | Event message |
-| - | - |
-| 6416 | A new external device was recognized by the system. |
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [6416](event-6416.md)(S): A new external device was recognized by the System
+
+- [6419](event-6419.md)(S): A request was made to disable a device
+
+- [6420](event-6420.md)(S): A device was disabled.
+
+- [6421](event-6421.md)(S): A request was made to enable a device.
+
+- [6422](event-6422.md)(S): A device was enabled.
+
+- [6423](event-6423.md)(S): The installation of this device is forbidden by system policy.
+
+- [6424](event-6424.md)(S): The installation of this device was allowed, after having previously been forbidden by policy.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-policy.md b/windows/keep-secure/audit-policy.md
index 87cf555f43..2cd2c8cd95 100644
--- a/windows/keep-secure/audit-policy.md
+++ b/windows/keep-secure/audit-policy.md
@@ -2,7 +2,7 @@
title: Audit Policy (Windows 10)
description: Provides information about basic audit policies that are available in Windows and links to information about each setting.
ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md
index dbe4b6bc69..9616b172bf 100644
--- a/windows/keep-secure/audit-process-creation.md
+++ b/windows/keep-secure/audit-process-creation.md
@@ -2,34 +2,37 @@
title: Audit Process Creation (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts).
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Process Creation
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Creation**, which determines whether the operating system generates audit events when a process is created (starts).
+
+Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).
These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.
-Event volume: Low to medium, depending on system usage
+**Event volume**: Low to Medium, depending on system usage.
-Default: Not configured
+This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited.
-| Event ID | Event message |
-| - | - |
-| 4688 | A new process has been created.|
-| 4696 | A primary token was assigned to a process.|
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on. The event volume is typically medium-high level, depending on the process activity on the computer. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on. The event volume is typically medium-high level, depending on the process activity on the computer. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on. The event volume is typically medium-high level, depending on the process activity on the computer. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4688](event-4688.md)(S): A new process has been created.
+
+- [4696](event-4696.md)(S): A primary token was assigned to process.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md
index 4208a938c3..493f39cc30 100644
--- a/windows/keep-secure/audit-process-termination.md
+++ b/windows/keep-secure/audit-process-termination.md
@@ -2,37 +2,35 @@
title: Audit Process Termination (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process.
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Process Termination
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Termination**, which determines whether the operating system generates audit events when an attempt is made to end a process.
+
+Audit Process Termination determines whether the operating system generates audit events when process has exited.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
-If you do not configure this policy setting, no audit event is generated when a process ends.
-
This policy setting can help you track user activity and understand how the computer is used.
-Event volume: Varies, depending on how the computer is used
+**Event volume**: Low to Medium, depending on system usage.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Event ID | Event message |
-| - | - |
-| 4689 | A process has exited. |
+**Events List:**
-## Related topics
+- [4689](event-4689.md)(S): A process has exited.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md
index 40ea22bf27..ad25025bc9 100644
--- a/windows/keep-secure/audit-registry.md
+++ b/windows/keep-secure/audit-registry.md
@@ -2,37 +2,45 @@
title: Audit Registry (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects.
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Registry
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Registry**, which determines whether the operating system generates audit events when users attempt to access registry objects.
-Audit events are generated only for objects that have configured system access control lists (SACLs) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
+Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
-If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching
-SACL.
+If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
-Event volume: Low to medium, depending on how registry SACLs are configured
+**Event volume**: Low to Medium, depending on how registry SACLs are configured.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information. Failure events can show you unsuccessful attempts to access specific registry objects. Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. |
+| Member Server | IF | IF | IF | IF | |
+| Workstation | IF | IF | IF | IF | |
-| Event ID | Event message |
-| - | - |
-| 4657 | A registry value was modified. |
-| 5039 | A registry key was virtualized. |
-
-## Related topics
+**Events List:**
+
+- [4663](event-4663.md)(S): An attempt was made to access an object.
+
+- [4656](event-4656.md)(S, F): A handle to an object was requested.
+
+- [4658](event-4658.md)(S): The handle to an object was closed.
+
+- [4660](event-4660.md)(S): An object was deleted.
+
+- [4657](event-4657.md)(S): A registry value was modified.
+
+- [5039](event-5039.md)(-): A registry key was virtualized.
+
+- [4670](event-4670.md)(S): Permissions on an object were changed.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md
index 1892857f3e..de2555c64a 100644
--- a/windows/keep-secure/audit-removable-storage.md
+++ b/windows/keep-secure/audit-removable-storage.md
@@ -2,128 +2,35 @@
title: Audit Removable Storage (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive.
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Removable Storage
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive.
-Event volume: Low
+Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | This subcategory will help identify when and which files or folders were accessed or modified on removable devices. It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device. You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed. We recommend Failure auditing to track failed access attempts. |
+| Member Server | Yes | Yes | Yes | Yes | |
+| Workstation | Yes | Yes | Yes | Yes | |
+
+**Events List:**
+
+- [4656](event-4656.md)(S, F): A handle to an object was requested.
+
+- [4658](event-4658.md)(S): The handle to an object was closed.
+
+- [4663](event-4663.md)(S): An attempt was made to access an object.
-Default: Not configured
-
-
-
-
-
-
-
-
Event ID
-
Event message
-
-
-
-
-
4663
-
An attempt was made to access an object.
-
Subject:
-
Security ID: %1
-
Account Name: %2
-
Account Domain: %3
-
Logon ID: %4
-
Object:
-
Object Server: %5
-
Object Type: %6
-
Object Name: %7
-
Handle ID: %8
-
Process Information:
-
Process ID: %11
-
Process Name: %12
-
Access Request Information:
-
Accesses: %9
-
Access Mask: %10
-
-
-
4659
-
A handle to an object was requested with intent to delete.
-
Subject:
-
Security ID: %1
-
Account Name: %2
-
Account Domain: %3
-
Logon ID: %4
-
Object:
-
Object Server: %5
-
Object Type: %6
-
Object Name: %7
-
Handle ID: %8
-
Process Information:
-
Process ID: %13
-
Access Request Information:
-
Transaction ID: %9
-
Accesses: %10
-
Access Mask: %11
-
Privileges Used for Access Check: %12
-
-
-
4818
-
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-
Subject:
-
Security ID: %1
-
Account Name: %2
-
Account Domain: %3
-
Logon ID: %4
-
Object:
-
Object Server: %5
-
Object Type: %6
-
Object Name: %7
-
Handle ID: %8
-
Process Information:
-
Process ID: %9
-
Process Name: %10
-
Current Central Access Policy results:
-
Access Reasons: %11
-
Proposed Central Access Policy results that differ from the current Central Access Policy results:
-
Access Reasons: %12
-
-
-
4656
-
A handle to an object was requested.
-
Subject:
-
Security ID: %1
-
Account Name: %2
-
Account Domain: %3
-
Logon ID: %4
-
Object:
-
Object Server: %5
-
Object Type: %6
-
Object Name: %7
-
Handle ID: %8
-
Resource Attributes: %17
-
Process Information:
-
Process ID: %15
-
Process Name: %16
-
Access Request Information:
-
Transaction ID: %9
-
Accesses: %10
-
Access Reasons: %11
-
Access Mask: %12
-
Privileges Used for Access Check: %13
-
Restricted SID Count: %14
-
-
-
-
-## Related topics
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-rpc-events.md b/windows/keep-secure/audit-rpc-events.md
index dfb512694b..69b62bbff7 100644
--- a/windows/keep-secure/audit-rpc-events.md
+++ b/windows/keep-secure/audit-rpc-events.md
@@ -2,32 +2,29 @@
title: Audit RPC Events (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit RPC Events
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit RPC Events**, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
-RPC is a technology for creating distributed client/server programs. RPC is an interprocess communication technique that enables client and server software to communicate. For more information, see [What Is RPC?](http://technet.microsoft.com/library/cc787851.aspx).
+Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
-Event volume: High on RPC servers
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------|
+| Domain Controller | No | No | No | No | Events in this subcategory occur rarely. |
+| Member Server | No | No | No | No | Events in this subcategory occur rarely. |
+| Workstation | No | No | No | No | Events in this subcategory occur rarely. |
-Default: Not configured
+**Events List:**
-| Event ID | Event message |
-| - | - |
-| 5712 | A Remote Procedure Call (RPC) was attempted. |
-
-## Related topics
+- [5712](event-5712.md)(S): A Remote Procedure Call (RPC) was attempted.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-sam.md b/windows/keep-secure/audit-sam.md
index c682e87a89..49b763f835 100644
--- a/windows/keep-secure/audit-sam.md
+++ b/windows/keep-secure/audit-sam.md
@@ -2,52 +2,55 @@
title: Audit SAM (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit SAM
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit SAM**, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
+
+Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx)) objects.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
-SAM objects include the following:
+- SAM objects include the following:
- SAM\_ALIAS: A local group
+
- SAM\_GROUP: A group that is not a local group
+
- SAM\_USER: A user account
+
- SAM\_DOMAIN: A domain
+
- SAM\_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-> **Note:** Only the SACL for SAM\_SERVER can be modified.
-
+Only a [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) for SAM\_SERVER can be modified.
+
Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
-Event volume: High on domain controllers
+**Event volume**: High on domain controllers.
-> **Note:** For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).
-
-Default setting: Not configured
+For information about reducing the number of events generated in this subcategory, see [KB841001](https://support.microsoft.com/en-us/kb/841001).
-| Event ID | Event message |
-| - | - |
-| 4659 | A handle to an object was requested with intent to delete.|
-| 4660 | An object was deleted. |
-| 4661 | A handle to an object was requested.|
-| 4663 | An attempt was made to access an object.|
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
+| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
+| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
+
+**Events List:**
+
+- [4661](event-4661.md)(S, F): A handle to an object was requested.
+
+#
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-security-group-management.md b/windows/keep-secure/audit-security-group-management.md
index 65d91ba967..17c4f1861e 100644
--- a/windows/keep-secure/audit-security-group-management.md
+++ b/windows/keep-secure/audit-security-group-management.md
@@ -2,52 +2,91 @@
title: Audit Security Group Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed.
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Security Group Management
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Security Group Management**, which determines whether the operating system generates audit events when specific security group management tasks are performed.
-Tasks for security group management include:
+Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
-- A security group is created, changed, or deleted.
-- A member is added to or removed from a security group.
-- A group's type is changed.
-Security groups can be used for access control permissions and also as distribution lists.
+**Event volume**: Low.
-Event volume: Low
+This subcategory allows you to audit events generated by changes to security groups such as the following:
-Default: Success
+- Security group is created, changed, or deleted.
-| Event ID | Event message |
-| - | - |
-| 4727 | A security-enabled global group was created. |
-| 4728 | A member was added to a security-enabled global group. |
-| 4729 | A member was removed from a security-enabled global group. |
-| 4730 | A security-enabled global group was deleted. |
-| 4731 | A security-enabled local group was created. |
-| 4732 | A member was added to a security-enabled local group.|
-| 4733 | A member was removed from a security-enabled local group.|
-| 4734 | A security-enabled local group was deleted. |
-| 4735 | A security-enabled local group was changed. |
-| 4737 | A security-enabled global group was changed. |
-| 4754 | A security-enabled universal group was created.|
-| 4755 | A security-enabled universal group was changed. |
-| 4756 | A member was added to a security-enabled universal group.|
-| 4757 | A member was removed from a security-enabled universal group.|
-| 4758 | A security-enabled universal group was deleted. |
-| 4764 | A group's type was changed. |
+- Member is added or removed from a security group.
-## Related topics
+- Group type is changed.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4731](event-4731.md)(S): A security-enabled local group was created.
+
+- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
+
+- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
+
+- [4734](event-4734.md)(S): A security-enabled local group was deleted.
+
+- [4735](event-4735.md)(S): A security-enabled local group was changed.
+
+- [4764](event-4764.md)(S): A group’s type was changed.
+
+- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
+
+**4727(S): A security-enabled global group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.” Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
+
+**4737(S): A security-enabled global group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.” Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
+
+**4728(S): A member was added to a security-enabled global group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.” Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
+
+**4729(S): A member was removed from a security-enabled global group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.” Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
+
+**4730(S): A security-enabled global group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.” Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
+
+**4754(S): A security-enabled universal group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
+
+**4755(S): A security-enabled universal group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
+
+**4756(S): A member was added to a security-enabled universal group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
+
+**4757(S): A member was removed from a security-enabled universal group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
+
+**4758(S): A security-enabled universal group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+
+**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md
index efda133f49..54492ea27c 100644
--- a/windows/keep-secure/audit-security-state-change.md
+++ b/windows/keep-secure/audit-security-state-change.md
@@ -2,44 +2,37 @@
title: Audit Security State Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Security State Change
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security State Change**, which determines whether Windows generates audit events for changes in the security state of a system.
-Changes in the security state of the operating system include:
+Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.
-- System startup and shutdown.
-- Change of system time.
-- System recovery from **CrashOnAuditFail**. This event is logged after a system reboots following **CrashOnAuditFail**.
+**Event volume**: Low.
- > **Important:** Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**.
-
-System startup and shutdown events are important for understanding system usage.
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-Event volume: Low
+**Events List:**
-Default: Success
+- [4608](event-4608.md)(S): Windows is starting up.
-| Event ID | Event message summary | Minimum requirement |
-| - | - | - |
-| 4608 | Windows is starting up. | Windows Vista, Windows Server 2008 |
-| 4609 | Windows is shutting down. | Windows Vista, Windows Server 2008 |
-| 4616 | The system time was changed.| Windows Vista, Windows Server 2008 |
-| 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.| Windows Vista, Windows Server 2008 |
-
-## Related topics
+- [4616](event-4616.md)(S): The system time was changed.
+
+- [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.
+
+>**Note** Event **4609(S): Windows is shutting down** currently doesn’t generate. It is a defined event, but it is never invoked by the operating system.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md
index e605195736..b340e3efe0 100644
--- a/windows/keep-secure/audit-security-system-extension.md
+++ b/windows/keep-secure/audit-security-system-extension.md
@@ -2,43 +2,47 @@
title: Audit Security System Extension (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions.
ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Security System Extension
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security System Extension**, which determines whether the operating system generates audit events related to security system extensions.
+
+Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events.
Changes to security system extensions in the operating system include the following activities:
-- A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
+
+- Security extension code is loaded (for example, an authentication, notification, or security package). Security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
+
- A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
-> **Important:** Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
-
-Event volume: Low
+Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
-These events are expected to appear more on a domain controller than on client computers or member servers.
+**Event volume**: Low.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Event ID | Event message |
-| - | - |
-| 4610 | An authentication package has been loaded by the Local Security Authority. |
-| 4611 | A trusted logon process has been registered with the Local Security Authority.|
-| 4614 | A notification package has been loaded by the Security Account Manager. |
-| 4622 | A security package has been loaded by the Local Security Authority. |
-| 4697 | A service was installed in the system. |
-
-## Related topics
+**Events List:**
+
+- [4610](event-4610.md)(S): An authentication package has been loaded by the Local Security Authority.
+
+- [4611](event-4611.md)(S): A trusted logon process has been registered with the Local Security Authority.
+
+- [4614](event-4614.md)(S): A notification package has been loaded by the Security Account Manager.
+
+- [4622](event-4622.md)(S): A security package has been loaded by the Local Security Authority.
+
+- [4697](event-4697.md)(S): A service was installed in the system.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md
index 2c7cd5a902..220187fc5b 100644
--- a/windows/keep-secure/audit-sensitive-privilege-use.md
+++ b/windows/keep-secure/audit-sensitive-privilege-use.md
@@ -2,51 +2,70 @@
title: Audit Sensitive Privilege Use (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Sensitive Privilege Use
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Sensitive Privilege Use**, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
-Actions that can be audited include:
-- A privileged service is called.
-- One of the following privileges is called:
- - **Act as part of the operating system**
- - **Back up files and directories**
- - **Create a token object**
- - **Debug programs**
- - **Enable computer and user accounts to be trusted for delegation**
- - **Generate security audits**
- - **Impersonate a client after authentication**
- - **Load and unload device drivers**
- - **Manage auditing and security log**
- - **Modify firmware environment values**
- - **Replace a process-level token**
- - **Restore files and directories**
- - **Take ownership of files or other objects**
+Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:
+
+- Act as part of the operating system
+
+- Back up files and directories
+
+- Restore files and directories
+
+- Create a token object
+
+- Debug programs
+
+- Enable computer and user accounts to be trusted for delegation
+
+- Generate security audits
+
+- Impersonate a client after authentication
+
+- Load and unload device drivers
+
+- Manage auditing and security log
+
+- Modify firmware environment values
+
+- Replace a process-level token
+
+- Take ownership of files or other objects
+
+The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](https://technet.microsoft.com/en-us/library/jj852206.aspx)” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.
+
+This subcategory also contains informational events from the file system Transaction Manager.
If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-Event volume: High
+**Event volume**: High.
-Default: Not configured
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
+| Member Server | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
+| Workstation | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
+
+**Events List:**
+
+- [4673](event-4673.md)(S, F): A privileged service was called.
+
+- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
+
+- [4985](event-4985.md)(S): The state of a transaction has changed.
+
+>**Note** For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
-| Event ID | Event message |
-| - | - |
-| 4672 | Special privileges assigned to new logon.|
-| 4673 | A privileged service was called. |
-| 4674 | An operation was attempted on a privileged object.|
-
-## Related topics
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index 5ce9aeecf7..0cd45cc597 100644
--- a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -2,7 +2,7 @@
title: Audit Shut down system immediately if unable to log security audits (Windows 10)
description: Describes the best practices, location, values, management practices, and security considerations for the Audit Shut down system immediately if unable to log security audits security policy setting.
ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md
index 439cf91d3d..2838689d0f 100644
--- a/windows/keep-secure/audit-special-logon.md
+++ b/windows/keep-secure/audit-special-logon.md
@@ -2,38 +2,43 @@
title: Audit Special Logon (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit Special Logon
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Special Logon**, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
-This security policy setting determines whether the operating system generates audit events when:
+Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.
-- A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
-- A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/p/?linkid=120183).
+This subcategory allows you to audit events generated by special logons such as the following:
-Users holding special privileges can potentially make changes to the system. We recommend that you track their activity.
+- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
-Event volume: Low
+- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.
-Default: Success
+**Event volume**:
-| Event ID | Event message |
-| - | - |
-| 4964 | Special groups have been assigned to a new logon.|
-
-## Related topics
+- Low on a client computer.
+
+- Medium on a domain controllers or network servers.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4964](event-4964.md)(S): Special groups have been assigned to a new logon.
+
+- [4672](event-4672.md)(S): Special privileges assigned to new logon.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md
index dfc2666ebf..90bbb22cde 100644
--- a/windows/keep-secure/audit-system-integrity.md
+++ b/windows/keep-secure/audit-system-integrity.md
@@ -2,51 +2,67 @@
title: Audit System Integrity (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.
ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit System Integrity
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit System Integrity**, which determines whether the operating system audits events that violate the integrity of the security subsystem.
+
+Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.
Activities that violate the integrity of the security subsystem include the following:
- Audited events are lost due to a failure of the auditing system.
+
- A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
+
- A remote procedure call (RPC) integrity violation is detected.
+
- A code integrity violation with an invalid hash value of an executable file is detected.
+
- Cryptographic tasks are performed.
-> **Important:** Violations of security subsystem integrity are critical and could indicate a potential security attack.
-
-Event volume: Low
+Violations of security subsystem integrity are critical and could indicate a potential security attack.
-Default: Success and failure
+**Event volume**: Low.
-| Event ID | Event message |
-| - | - |
-| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
-| 4615 | Invalid use of LPC port. |
-| 4618 | A monitored security event pattern has occurred.|
-| 4816 | RPC detected an integrity violation while decrypting an incoming message.|
-| 5038 | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.|
-| 5056 | A cryptographic self-test was performed. |
-| 5057 | A cryptographic primitive operation failed.|
-| 5060 | Verification operation failed. |
-| 5061 | Cryptographic operation. |
-| 5062 | A kernel-mode cryptographic self-test was performed.|
-| 6281 | Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.|
-
-## Related topics
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory. The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
+| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory. The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
+| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory. The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
+
+**Events List:**
+
+- [4612](event-4612.md)(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
+
+- [4615](event-4615.md)(S): Invalid use of LPC port.
+
+- [4618](event-4618.md)(S): A monitored security event pattern has occurred.
+
+- [4816](event-4816.md)(S): RPC detected an integrity violation while decrypting an incoming message.
+
+- [5038](event-5038.md)(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
+
+- [5056](event-5056.md)(S): A cryptographic self-test was performed.
+
+- [5062](event-5062.md)(S): A kernel-mode cryptographic self-test was performed.
+
+- [5057](event-5057.md)(F): A cryptographic primitive operation failed.
+
+- [5060](event-5060.md)(F): Verification operation failed.
+
+- [5061](event-5061.md)(S, F): Cryptographic operation.
+
+- [6281](event-6281.md)(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
+
+- [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md
index 1f05f3085b..e641522e84 100644
--- a/windows/keep-secure/audit-user-account-management.md
+++ b/windows/keep-secure/audit-user-account-management.md
@@ -2,56 +2,81 @@
title: Audit User Account Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed.
ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit User Account Management
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit User Account Management**, which determines whether the operating system generates audit events when specific user account management tasks are performed.
-Tasks that are audited for user account management include:
+Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.
+
+**Event volume**: Low.
+
+This policy setting allows you to audit changes to user accounts. Events include the following:
+
+- A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
+
+- A user account’s password is set or changed.
+
+- A security identifier (SID) is added to the SID History of a user account, or fails to be added.
+
+- The Directory Services Restore Mode password is configured.
+
+- Permissions on administrative user accounts are changed.
+
+- A user's local group membership was enumerated.
-- A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
-- A user account password is set or changed.
-- Security identifier (SID) history is added to a user account.
-- The Directory Services Restore Mode password is set.
-- Permissions are changed on accounts that are members of administrator groups.
- Credential Manager credentials are backed up or restored.
-This policy setting is essential for tracking events that involve provisioning and managing user accounts.
+Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer accounts.
-Event volume: Low
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | Yes | Yes | Yes | Yes | This subcategory contains many useful events for monitoring, especially for critical domain accounts, such as domain admins, service accounts, database admins, and so on. We recommend Failure auditing, mostly to see invalid password change and reset attempts for domain accounts, DSRM account password change failures, and failed SID History add attempts. |
+| Member Server | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts. We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. |
+| Workstation | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts. We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. |
-Default: Success
+**Events List:**
-| Event ID | Event message |
-| - | - |
-| 4720 | A user account was created. |
-| 4722 | A user account was enabled. |
-| 4723 | An attempt was made to change an account's password.|
-| 4724 | An attempt was made to reset an account's password. |
-| 4725 | A user account was disabled. |
-| 4726 | A user account was deleted. |
-| 4738 | A user account was changed. |
-| 4740 | A user account was locked out.|
-| 4765 | SID History was added to an account.|
-| 4766 | An attempt to add SID History to an account failed.|
-| 4767 | A user account was unlocked. |
-| 4780 | The ACL was set on accounts which are members of administrators groups.|
-| 4781 | The name of an account was changed: |
-| 4794 | An attempt was made to set the Directory Services Restore Mode.|
-| 5376 | Credential Manager credentials were backed up. |
-| 5377 | Credential Manager credentials were restored from a backup.|
-
-## Related topics
+- [4720](event-4720.md)(S): A user account was created.
+
+- [4722](event-4722.md)(S): A user account was enabled.
+
+- [4723](event-4723.md)(S, F): An attempt was made to change an account's password.
+
+- [4724](event-4724.md)(S, F): An attempt was made to reset an account's password.
+
+- [4725](event-4725.md)(S): A user account was disabled.
+
+- [4726](event-4726.md)(S): A user account was deleted.
+
+- [4738](event-4738.md)(S): A user account was changed.
+
+- [4740](event-4740.md)(S): A user account was locked out.
+
+- [4765](event-4765.md)(S): SID History was added to an account.
+
+- [4766](event-4766.md)(F): An attempt to add SID History to an account failed.
+
+- [4767](event-4767.md)(S): A user account was unlocked.
+
+- [4780](event-4780.md)(S): The ACL was set on accounts which are members of administrators groups.
+
+- [4781](event-4781.md)(S): The name of an account was changed.
+
+- [4794](event-4794.md)(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
+
+- [4798](event-4798.md)(S): A user's local group membership was enumerated.
+
+- [5376](event-5376.md)(S): Credential Manager credentials were backed up.
+
+- [5377](event-5377.md)(S): Credential Manager credentials were restored from a backup.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md
index 254bfb2c7d..69c9dc94c2 100644
--- a/windows/keep-secure/audit-user-device-claims.md
+++ b/windows/keep-secure/audit-user-device-claims.md
@@ -2,63 +2,39 @@
title: Audit User/Device Claims (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
-ms.prod: W10
+ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+author: Mir0sh
---
# Audit User/Device Claims
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit User/Device Claims**, which enables you to audit security events that are generated by user and device claims.
-Event volume:
+Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
-Default: Not configured
+For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-
-
-
-
-
-
-
-
Event ID
-
Event message
-
-
-
-
-
4626
-
User / Device claims information.
-
Subject:
-
Security ID: %1
-
Account Name: %2
-
Account Domain: %3
-
Logon ID: %4
-
Logon Type:%9
-
New Logon:
-
Security ID: %5
-
Account Name: %6
-
Account Domain: %7
-
Logon ID: %8
-
Event in sequence: %10 of %11
-
User Claims: %12
-
Device Claims: %13
-
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
-
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
-
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
-
This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.
-
-
-
-
-## Related topics
+***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory.
+
+**Event volume**:
+
+- Low on a client computer.
+
+- Medium on a domain controller or network servers.
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4626](event-4626.md)(S): User/Device claims information.
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md
index 2cddb14842..6f6a7b8805 100644
--- a/windows/keep-secure/back-up-files-and-directories.md
+++ b/windows/keep-secure/back-up-files-and-directories.md
@@ -2,7 +2,7 @@
title: Back up files and directories (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
index 5f46d91a0d..aee1050952 100644
--- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@@ -2,7 +2,7 @@
title: Backup the TPM recovery Information to AD DS (Windows 10)
description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-account-logon-events.md b/windows/keep-secure/basic-audit-account-logon-events.md
index 4bfa89fd5b..392a87e381 100644
--- a/windows/keep-secure/basic-audit-account-logon-events.md
+++ b/windows/keep-secure/basic-audit-account-logon-events.md
@@ -2,7 +2,7 @@
title: Audit account logon events (Windows 10)
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-account-management.md b/windows/keep-secure/basic-audit-account-management.md
index ee0cf33722..364a455ec2 100644
--- a/windows/keep-secure/basic-audit-account-management.md
+++ b/windows/keep-secure/basic-audit-account-management.md
@@ -2,7 +2,7 @@
title: Audit account management (Windows 10)
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-directory-service-access.md b/windows/keep-secure/basic-audit-directory-service-access.md
index 0d48b78b27..b377adcecc 100644
--- a/windows/keep-secure/basic-audit-directory-service-access.md
+++ b/windows/keep-secure/basic-audit-directory-service-access.md
@@ -2,7 +2,7 @@
title: Audit directory service access (Windows 10)
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-logon-events.md b/windows/keep-secure/basic-audit-logon-events.md
index d83d80357e..143c150317 100644
--- a/windows/keep-secure/basic-audit-logon-events.md
+++ b/windows/keep-secure/basic-audit-logon-events.md
@@ -2,7 +2,7 @@
title: Audit logon events (Windows 10)
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-object-access.md b/windows/keep-secure/basic-audit-object-access.md
index 6ae03e3c93..05d9500660 100644
--- a/windows/keep-secure/basic-audit-object-access.md
+++ b/windows/keep-secure/basic-audit-object-access.md
@@ -2,7 +2,7 @@
title: Audit object access (Windows 10)
description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-policy-change.md b/windows/keep-secure/basic-audit-policy-change.md
index 0590d832ee..9aee64c9c8 100644
--- a/windows/keep-secure/basic-audit-policy-change.md
+++ b/windows/keep-secure/basic-audit-policy-change.md
@@ -2,7 +2,7 @@
title: Audit policy change (Windows 10)
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-privilege-use.md b/windows/keep-secure/basic-audit-privilege-use.md
index 38a2117169..62d38eec12 100644
--- a/windows/keep-secure/basic-audit-privilege-use.md
+++ b/windows/keep-secure/basic-audit-privilege-use.md
@@ -2,7 +2,7 @@
title: Audit privilege use (Windows 10)
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-process-tracking.md b/windows/keep-secure/basic-audit-process-tracking.md
index 9fd272a03c..acfe7b0fb1 100644
--- a/windows/keep-secure/basic-audit-process-tracking.md
+++ b/windows/keep-secure/basic-audit-process-tracking.md
@@ -2,7 +2,7 @@
title: Audit process tracking (Windows 10)
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-audit-system-events.md b/windows/keep-secure/basic-audit-system-events.md
index 7724e17654..70674dbb21 100644
--- a/windows/keep-secure/basic-audit-system-events.md
+++ b/windows/keep-secure/basic-audit-system-events.md
@@ -2,7 +2,7 @@
title: Audit system events (Windows 10)
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md
new file mode 100644
index 0000000000..3863b0cf74
--- /dev/null
+++ b/windows/keep-secure/basic-firewall-policy-design.md
@@ -0,0 +1,66 @@
+---
+title: Basic Firewall Policy Design (Windows 10)
+description: Basic Firewall Policy Design
+ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Basic Firewall Policy Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
+
+The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped.
+
+Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted.
+
+Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
+
+- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
+
+- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
+
+ For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
+
+- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization.
+
+ For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
+
+With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
+
+>**Caution:** Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
+
+By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later.
+
+If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
+
+Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.
+
+An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation.
+
+After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
+
+>**Important:** If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
+
+The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.
+
+For more information about this design:
+
+- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
+
+- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
+
+- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+
+- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
+
+- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
+
+**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)
diff --git a/windows/keep-secure/basic-security-audit-policies.md b/windows/keep-secure/basic-security-audit-policies.md
index 0ad34f0790..1de3ff5747 100644
--- a/windows/keep-secure/basic-security-audit-policies.md
+++ b/windows/keep-secure/basic-security-audit-policies.md
@@ -2,7 +2,7 @@
title: Basic security audit policies (Windows 10)
description: Before you implement auditing, you must decide on an auditing policy.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/basic-security-audit-policy-settings.md b/windows/keep-secure/basic-security-audit-policy-settings.md
index eeade033ce..82989b0eee 100644
--- a/windows/keep-secure/basic-security-audit-policy-settings.md
+++ b/windows/keep-secure/basic-security-audit-policy-settings.md
@@ -2,7 +2,7 @@
title: Basic security audit policy settings (Windows 10)
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bcd-settings-and-bitlocker.md b/windows/keep-secure/bcd-settings-and-bitlocker.md
index bee0c9e8f3..ccd9afd831 100644
--- a/windows/keep-secure/bcd-settings-and-bitlocker.md
+++ b/windows/keep-secure/bcd-settings-and-bitlocker.md
@@ -2,7 +2,7 @@
title: BCD settings and BitLocker (Windows 10)
description: This topic for IT professionals describes the BCD settings that are used by BitLocker.
ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md
index e63322f296..b83692c713 100644
--- a/windows/keep-secure/bitlocker-basic-deployment.md
+++ b/windows/keep-secure/bitlocker-basic-deployment.md
@@ -2,7 +2,7 @@
title: BitLocker basic deployment (Windows 10)
description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md
index 687bf6047b..7e1f6c7414 100644
--- a/windows/keep-secure/bitlocker-countermeasures.md
+++ b/windows/keep-secure/bitlocker-countermeasures.md
@@ -2,7 +2,7 @@
title: BitLocker Countermeasures (Windows 10)
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md
index 4d179869fb..23dc64932f 100644
--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@@ -2,7 +2,7 @@
title: BitLocker frequently asked questions (FAQ) (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md
index 77412bda71..8d3864a681 100644
--- a/windows/keep-secure/bitlocker-group-policy-settings.md
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@@ -2,7 +2,7 @@
title: BitLocker Group Policy settings (Windows 10)
description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md
index e7035aa4e8..e57e269aff 100644
--- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md
@@ -2,7 +2,7 @@
title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10)
description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
index 37e9e8b02d..16e0aa12b2 100644
--- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
@@ -2,7 +2,7 @@
title: BitLocker How to enable Network Unlock (Windows 10)
description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md
index 897f3dd747..58f3047141 100644
--- a/windows/keep-secure/bitlocker-overview.md
+++ b/windows/keep-secure/bitlocker-overview.md
@@ -2,7 +2,7 @@
title: BitLocker (Windows 10)
description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md
index 80df5a2c52..61d362d1a3 100644
--- a/windows/keep-secure/bitlocker-recovery-guide-plan.md
+++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md
@@ -2,7 +2,7 @@
title: BitLocker recovery guide (Windows 10)
description: This topic for IT professionals describes how to recover BitLocker keys from AD DS.
ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index a20d25ff66..8d48b8aff4 100644
--- a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -2,7 +2,7 @@
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
description: This topic for the IT professional describes how to use tools to manage BitLocker.
ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md
index 61521699b2..850c7507b0 100644
--- a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -2,7 +2,7 @@
title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md
index 032ef98517..83a3f113a9 100644
--- a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md
+++ b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md
@@ -2,9 +2,10 @@
title: Block untrusted fonts in an enterprise (Windows 10)
description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature.
ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4
-keywords: ["font blocking", "untrusted font blocking", "block fonts", "untrusted fonts"]
-ms.prod: W10
+keywords: font blocking, untrusted font blocking, block fonts, untrusted fonts
+ms.prod: w10
ms.mktglfcycl: deploy
+ms.pagetype: security
ms.sitesec: library
author: eross-msft
---
diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md
new file mode 100644
index 0000000000..66865b93a6
--- /dev/null
+++ b/windows/keep-secure/boundary-zone-gpos.md
@@ -0,0 +1,28 @@
+---
+title: Boundary Zone GPOs (Windows 10)
+description: Boundary Zone GPOs
+ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Boundary Zone GPOs
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
+
+>**Note:** If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
+
+This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone.
+
+The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows.
+
+In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed.
+
+- [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary.md)
diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md
new file mode 100644
index 0000000000..b44e15fdc1
--- /dev/null
+++ b/windows/keep-secure/boundary-zone.md
@@ -0,0 +1,63 @@
+---
+title: Boundary Zone (Windows 10)
+description: Boundary Zone
+ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Boundary Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
+
+Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device.
+
+The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it.
+
+Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
+
+
+
+The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
+
+You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
+
+Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+
+## GPO settings for boundary zone servers running at least Windows Server 2008
+
+
+The boundary zone GPO for devices running at least Windows Server 2008 should include the following:
+
+- IPsec default settings that specify the following options:
+
+ 1. Exempt all ICMP traffic from IPsec.
+
+ 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems..
+
+ If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
+
+ 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
+
+- The following connection security rules:
+
+ - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
+
+ - A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication.
+
+- A registry policy that includes the following values:
+
+ - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
+
+ >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+
+**Next: **[Encryption Zone](encryption-zone.md)
diff --git a/windows/keep-secure/bypass-traverse-checking.md b/windows/keep-secure/bypass-traverse-checking.md
index d07fea0ff5..60df8885da 100644
--- a/windows/keep-secure/bypass-traverse-checking.md
+++ b/windows/keep-secure/bypass-traverse-checking.md
@@ -2,7 +2,7 @@
title: Bypass traverse checking (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting.
ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md
new file mode 100644
index 0000000000..8b5e59db2e
--- /dev/null
+++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md
@@ -0,0 +1,52 @@
+---
+title: Certificate-based Isolation Policy Design Example (Windows 10)
+description: Certificate-based Isolation Policy Design Example
+ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Certificate-based Isolation Policy Design Example
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
+
+One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the devices that receive this information.
+
+## Design requirements
+
+One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it cannot authenticate.
+
+A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed.
+
+In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server.
+
+The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate.
+
+The creation of the IPsec connection security rules for a non-Windows device is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows device by using the standard IPsec protocols is the subject of this design.
+
+The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates.
+
+**Other traffic notes:**
+
+- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device.
+
+## Design details
+
+Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization.
+
+The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules.
+
+When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because the majority of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
+
+By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
+
+Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
+
+**Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md
new file mode 100644
index 0000000000..8d0483f776
--- /dev/null
+++ b/windows/keep-secure/certificate-based-isolation-policy-design.md
@@ -0,0 +1,40 @@
+---
+title: Certificate-based Isolation Policy Design (Windows 10)
+description: Certificate-based Isolation Policy Design
+ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Certificate-based Isolation Policy Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
+
+Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices cannot join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol.
+
+To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that do not run Windows.
+
+The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain.
+
+For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but are not part of the Active Directory domain. For other devices, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner.
+
+For more info about this design:
+
+- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+
+- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
+
+- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+
+- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
+
+- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
+
+**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 5f96e1fcb1..c415733140 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -2,23 +2,34 @@
title: Change history for Keep Windows 10 secure (Windows 10)
description: This topic lists new and updated topics in the Keep Windows 10 secure documentation for Windows 10 and Windows 10 Mobile.
ms.assetid: E50EC5E6-71AA-4FF1-8356-574CFDB8079B
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## June 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
+| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
+| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
+
## May 2016
|New or changed topic | Description |
|----------------------|-------------|
+| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge |
| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
-| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.|
+| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
+|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
## April 2016
@@ -78,4 +89,4 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
- [Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
- [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
-- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
\ No newline at end of file
+- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md
new file mode 100644
index 0000000000..156957d053
--- /dev/null
+++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md
@@ -0,0 +1,56 @@
+---
+title: Change Rules from Request to Require Mode (Windows 10)
+description: Change Rules from Request to Require Mode
+ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Change Rules from Request to Require Mode
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+In this topic:
+
+- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode)
+
+- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices)
+
+## To convert a rule from request to require mode
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Connection Security Rules**.
+
+3. In the details pane, double-click the connection security rule that you want to modify.
+
+4. Click the **Authentication** tab.
+
+5. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**.
+
+## To apply the modified GPOs to the client devices
+
+1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt:
+
+ ``` syntax
+ gpupdate /force
+ ```
+
+2. To verify that the modified GPO is correctly applied to the client devices, you can run the following command:
+
+ ``` syntax
+ gpresult /r /scope computer
+ ```
+
+3. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device.
diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md
index 4ac7356093..e6f43e3f88 100644
--- a/windows/keep-secure/change-the-system-time.md
+++ b/windows/keep-secure/change-the-system-time.md
@@ -2,7 +2,7 @@
title: Change the system time (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting.
ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md
index 1b27d5afe9..3eb72473a5 100644
--- a/windows/keep-secure/change-the-time-zone.md
+++ b/windows/keep-secure/change-the-time-zone.md
@@ -2,7 +2,7 @@
title: Change the time zone (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.
ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md
index 7241d40deb..ba11bc7a8c 100644
--- a/windows/keep-secure/change-the-tpm-owner-password.md
+++ b/windows/keep-secure/change-the-tpm-owner-password.md
@@ -2,7 +2,7 @@
title: Change the TPM owner password (Windows 10)
description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
new file mode 100644
index 0000000000..979ef0e243
--- /dev/null
+++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
@@ -0,0 +1,26 @@
+---
+title: Checklist Configuring Basic Firewall Settings (Windows 10)
+description: Checklist Configuring Basic Firewall Settings
+ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Basic Firewall Settings
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
+
+**Checklist: Configuring firewall defaults and settings**
+
+| Task | Reference |
+| - | - |
+| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)|
+| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
+| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)|
diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
new file mode 100644
index 0000000000..a3cd9303ca
--- /dev/null
+++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -0,0 +1,43 @@
+---
+title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
+description: Checklist Configuring Rules for an Isolated Server Zone
+ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for an Isolated Server Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
+
+In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer.
+
+Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication.
+
+The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server.
+
+**Checklist: Configuring rules for isolated servers**
+
+| Task | Reference |
+| - | - |
+| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
+| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
+| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
+| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
+| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
+| Create a rule that requests authentication for all network traffic. **Important:** Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
+| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
+| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)|
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
+| Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
+
+Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.
diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
new file mode 100644
index 0000000000..f954a6f45e
--- /dev/null
+++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@@ -0,0 +1,40 @@
+---
+title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10)
+description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
+ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
+
+The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
+
+**Checklist: Configuring rules for isolated servers**
+
+| Task | Reference |
+| - | - |
+| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
+| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) |
+| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
+| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
+| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) |
+| Create a rule that requests authentication for all inbound network traffic.
**Important:** Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
+| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)|
+| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) |
+| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)|
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
+| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
+
+Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested.
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
new file mode 100644
index 0000000000..898aff61c0
--- /dev/null
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
@@ -0,0 +1,32 @@
+---
+title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
+description: Checklist Configuring Rules for the Boundary Zone
+ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for the Boundary Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
+
+Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.
+
+**Checklist: Configuring boundary zone rules**
+
+This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs.
+
+| Task | Reference |
+| - | - |
+| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) |
+| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
+| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
+| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
new file mode 100644
index 0000000000..8bf35ebe8e
--- /dev/null
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
@@ -0,0 +1,33 @@
+---
+title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
+description: Checklist Configuring Rules for the Encryption Zone
+ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for the Encryption Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
+
+Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.
+
+**Checklist: Configuring encryption zone rules**
+
+This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
+
+| Task | Reference |
+| - | - |
+| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)|
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
+| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
+| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
new file mode 100644
index 0000000000..41375ddbad
--- /dev/null
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
@@ -0,0 +1,37 @@
+---
+title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
+description: Checklist Configuring Rules for the Isolated Domain
+ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for the Isolated Domain
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
+
+**Checklist: Configuring isolated domain rules**
+
+| Task | Reference |
+| - | - |
+| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
+| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
+| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
+| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
+| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
+| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
+| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
+| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
+| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
+
+
+Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.
diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md
new file mode 100644
index 0000000000..b846638c4e
--- /dev/null
+++ b/windows/keep-secure/checklist-creating-group-policy-objects.md
@@ -0,0 +1,43 @@
+---
+title: Checklist Creating Group Policy Objects (Windows 10)
+description: Checklist Creating Group Policy Objects
+ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Creating Group Policy Objects
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
+
+The checklists for firewall, domain isolation, and server isolation include a link to this checklist.
+
+## About membership groups
+
+For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
+
+## About exclusion groups
+
+A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
+
+You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
+
+**Checklist: Creating Group Policy objects**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)|
+| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO. If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
+| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
+| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
+| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
+| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
+| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
new file mode 100644
index 0000000000..16681cba2a
--- /dev/null
+++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
@@ -0,0 +1,39 @@
+---
+title: Checklist Creating Inbound Firewall Rules (Windows 10)
+description: Checklist Creating Inbound Firewall Rules
+ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Creating Inbound Firewall Rules
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This checklist includes tasks for creating firewall rules in your GPOs.
+
+**Checklist: Creating inbound firewall rules**
+
+| Task | Reference |
+| - | - |
+| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)|
+| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)|
+| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)|
+| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)|
+| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)|
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
new file mode 100644
index 0000000000..22b8d892c8
--- /dev/null
+++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
@@ -0,0 +1,39 @@
+---
+title: Checklist Creating Outbound Firewall Rules (Windows 10)
+description: Checklist Creating Outbound Firewall Rules
+ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Creating Outbound Firewall Rules
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This checklist includes tasks for creating outbound firewall rules in your GPOs.
+
+>**Important:** By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.
+
+**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
+
+| Task | Reference |
+| - | - |
+| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)|
+| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)|
+| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)|
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
new file mode 100644
index 0000000000..bd5a21cdb8
--- /dev/null
+++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -0,0 +1,33 @@
+---
+title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10)
+description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone
+ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
+
+**Checklist: Configuring isolated server zone client rules**
+
+| Task | Reference |
+| - | - |
+| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
+| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
+| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
+| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
+| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
+| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
+| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
new file mode 100644
index 0000000000..f72a945895
--- /dev/null
+++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
@@ -0,0 +1,36 @@
+---
+title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
+description: Checklist Implementing a Basic Firewall Policy Design
+ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Implementing a Basic Firewall Policy Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
+
+>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+
+The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
+
+ **Checklist: Implementing a basic firewall policy design**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Basic Firewall Policy Design](basic-firewall-policy-design.md) [Firewall Policy Design Example](firewall-policy-design-example.md) [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
+| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
+| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|
+| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)|
+| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)|
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
+| Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
+| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)|
diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
new file mode 100644
index 0000000000..1cab0a3744
--- /dev/null
+++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -0,0 +1,30 @@
+---
+title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
+description: Checklist Implementing a Certificate-based Isolation Policy Design
+ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Implementing a Certificate-based Isolation Policy Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
+
+>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
+
+**Checklist: Implementing certificate-based authentication**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
+| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
+| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
+| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|
+| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)|
diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
new file mode 100644
index 0000000000..a57af52e9a
--- /dev/null
+++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
@@ -0,0 +1,34 @@
+---
+title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
+description: Checklist Implementing a Domain Isolation Policy Design
+ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Implementing a Domain Isolation Policy Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
+
+>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+
+The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
+
+**Checklist: Implementing a domain isolation policy design**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
+| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
+| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
+| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|
+| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)|
+| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)|
+| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)|
diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
new file mode 100644
index 0000000000..e4ed2e3d00
--- /dev/null
+++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -0,0 +1,33 @@
+---
+title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
+description: Checklist Implementing a Standalone Server Isolation Policy Design
+ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Implementing a Standalone Server Isolation Policy Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
+
+This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
+
+>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+
+**Checklist: Implementing a standalone server isolation policy design**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
+| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)|
+| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)|
+| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
+| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)|
+| According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) |
diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
index 3e84e8f209..0293f672ae 100644
--- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
+++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
@@ -2,7 +2,7 @@
title: Choose the right BitLocker countermeasure (Windows 10)
description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md
index 58ba26536b..206c0415fe 100644
--- a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md
@@ -2,7 +2,7 @@
title: Configure an AppLocker policy for audit only (Windows 10)
description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md
index 3d6aa8a2c7..55e87ba39a 100644
--- a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md
@@ -2,7 +2,7 @@
title: Configure an AppLocker policy for enforce rules (Windows 10)
description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/configure-authentication-methods.md b/windows/keep-secure/configure-authentication-methods.md
new file mode 100644
index 0000000000..c637681093
--- /dev/null
+++ b/windows/keep-secure/configure-authentication-methods.md
@@ -0,0 +1,75 @@
+---
+title: Configure Authentication Methods (Windows 10)
+description: Configure Authentication Methods
+ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+
+author: brianlic-msft
+---
+
+# Configure Authentication Methods
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
+
+>**Note:** If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To configure authentication methods**
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+
+3. On the **IPsec Settings** tab, click **Customize**.
+
+4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following:
+
+ 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default.
+
+ 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.
+
+ 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
+
+ 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials.
+
+ 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
+
+ 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
+
+ The first authentication method can be one of the following:
+
+ - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
+
+ - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+ - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used.
+
+ - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes.
+
+ If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
+
+ The second authentication method can be one of the following:
+
+ - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+ - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+ - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups.
+
+ - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule.
+
+ If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
+
+ >**Important:** Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
+
+5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor.
diff --git a/windows/keep-secure/configure-data-protection-quick-mode-settings.md b/windows/keep-secure/configure-data-protection-quick-mode-settings.md
new file mode 100644
index 0000000000..1b0e5489ab
--- /dev/null
+++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md
@@ -0,0 +1,62 @@
+---
+title: Configure Data Protection (Quick Mode) Settings (Windows 10)
+description: Configure Data Protection (Quick Mode) Settings
+ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure Data Protection (Quick Mode) Settings
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To configure quick mode settings**
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+
+3. On the **IPsec Settings** tab, click **Customize**.
+
+4. In the **Data protection (Quick Mode)** section, click **Advanced**, and then click **Customize**.
+
+5. If you require encryption for all network traffic in the specified zone, then check **Require encryption for all connection security rules that use these settings**. Selecting this option disables the **Data integrity** section, and forces you to select only integrity algorithms that are combined with an encryption algorithm. If you do not select this option, then you can use only data integrity algorithms. Before selecting this option, consider the performance impact and the increase in network traffic that will result. We recommend that you use this setting only on network traffic that truly requires it, such as to and from computers in the encryption zone.
+
+6. If you did not select **Require encryption**, then select the data integrity algorithms that you want to use to help protect the data sessions between the two computers. If the data integrity algorithms displayed in the list are not what you want, then do the following:
+
+ 1. From the left column, remove any of the data integrity algorithms that you do not want by selecting the algorithm and then clicking **Remove**.
+
+ 2. Add any required data integrity algorithms by clicking **Add**, selecting the appropriate protocol (ESP or AH) and algorithm (SHA1 or MD5), selecting the key lifetime in minutes or sessions, and then clicking **OK**. We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. We also recommend that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT).
+
+ 3. In **Key lifetime (in sessions)**, type the number of times that the quick mode session can be rekeyed. After this number is reached, the quick mode SA must be renegotiated. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode SA. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
+
+ 4. Click **OK** to save your algorithm combination settings.
+
+ 5. After the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on.
+
+7. Select the data integrity and encryption algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following:
+
+ 1. From the second column, remove any of the data integrity and encryption algorithms that you do not want by selecting the algorithm combination and then clicking **Remove**.
+
+ 2. Add any required integrity and encryption algorithm combinations by clicking **Add**, and then doing the following:
+
+ 3. Select the appropriate protocol (ESP or AH). We recommend that you use ESP instead of AH if you have any devices on your network that use NAT.
+
+ 4. Select the appropriate encryption algorithm. The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. We recommend that you do not include DES in any combination. It is included for backward compatibility only.
+
+ 5. Select the appropriate integrity algorithm (SHA1 or MD5). We recommend that you do not include MD5 in any combination. It is included for backward compatibility only.
+
+ 6. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
+
+8. Click **OK** three times to save your settings.
diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
index 79f9ff560f..aede6f38ed 100644
--- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Configure Windows Defender ATP endpoints
description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: iaanw
---
diff --git a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md
index 0d4e3eefd6..be96e323ed 100644
--- a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md
@@ -2,7 +2,7 @@
title: Add exceptions for an AppLocker rule (Windows 10)
description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
new file mode 100644
index 0000000000..a3687db1b5
--- /dev/null
+++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -0,0 +1,38 @@
+---
+title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
+description: Configure Group Policy to Autoenroll and Deploy Certificates
+ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure Group Policy to Autoenroll and Deploy Certificates
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest and a member of the Enterprise Admins group.
+
+**To configure Group Policy to autoenroll certificates**
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
+
+3. In the navigation pane, expand the following path: **Computer Configuration**, **Policies**, **Windows Settings**, **Security Settings**, **Public Key Policies**.
+
+4. Double-click **Certificate Services Client - Auto-Enrollment**.
+
+5. In the **Properties** dialog box, change **Configuration Model** to **Enabled**.
+
+6. Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**.
+
+7. Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed.
diff --git a/windows/keep-secure/configure-key-exchange-main-mode-settings.md b/windows/keep-secure/configure-key-exchange-main-mode-settings.md
new file mode 100644
index 0000000000..097d29b877
--- /dev/null
+++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md
@@ -0,0 +1,62 @@
+---
+title: Configure Key Exchange (Main Mode) Settings (Windows 10)
+description: Configure Key Exchange (Main Mode) Settings
+ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure Key Exchange (Main Mode) Settings
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To configure key exchange settings**
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+
+3. On the **IPsec Settings** tab, click **Customize**.
+
+4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**.
+
+5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following:
+
+ **Important**
+ In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices.
+
+ Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected.
+
+ **Note**
+ When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select.
+
+ 1. Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**.
+
+ 2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**.
+
+ >**Caution:** We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only.
+
+ 3. After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on.
+
+6. From the list on the right, select the key exchange algorithm that you want to use.
+
+ >**Caution:** We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only.
+
+7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key.
+
+ >**Note:** You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance.
+
+8. In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key.
+
+9. Click **OK** three times to save your settings.
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index aef3743b8f..e0564e8606 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Configure Windows Defender ATP endpoint proxy and Internet connection set
description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md
index 1d5a83822d..7b9906f26d 100644
--- a/windows/keep-secure/configure-s-mime.md
+++ b/windows/keep-secure/configure-s-mime.md
@@ -3,7 +3,7 @@ title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10)
description: In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them.
ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
keywords: encrypt, digital signature
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/configure-the-appLocker-reference-device.md b/windows/keep-secure/configure-the-appLocker-reference-device.md
index 59e6e81b2d..97d6fd1361 100644
--- a/windows/keep-secure/configure-the-appLocker-reference-device.md
+++ b/windows/keep-secure/configure-the-appLocker-reference-device.md
@@ -2,7 +2,7 @@
title: Configure the AppLocker reference device (Windows 10)
description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/configure-the-application-identity-service.md b/windows/keep-secure/configure-the-application-identity-service.md
index 0714a613da..84a1d64b98 100644
--- a/windows/keep-secure/configure-the-application-identity-service.md
+++ b/windows/keep-secure/configure-the-application-identity-service.md
@@ -3,7 +3,7 @@ title: Configure the Application Identity service (Windows 10)
description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561
ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
diff --git a/windows/keep-secure/configure-the-rules-to-require-encryption.md b/windows/keep-secure/configure-the-rules-to-require-encryption.md
new file mode 100644
index 0000000000..cdc97d2167
--- /dev/null
+++ b/windows/keep-secure/configure-the-rules-to-require-encryption.md
@@ -0,0 +1,53 @@
+---
+title: Configure the Rules to Require Encryption (Windows 10)
+description: Configure the Rules to Require Encryption
+ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure the Rules to Require Encryption
+
+If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To modify an authentication request rule to also require encryption**
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Connection Security Rules**.
+
+3. In the details pane, double-click the connection security rule you want to modify.
+
+4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**.
+
+5. In the navigation pane, right-click **Windows Firewall with Advanced Security – LDAP://CN={***guid***}**, and then click **Properties**.
+
+6. Click the **IPsec Settings** tab.
+
+7. Under **IPsec defaults**, click **Customize**.
+
+8. Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**.
+
+9. Click **Require encryption for all connection security rules that use these settings**.
+
+ This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone.
+
+10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
+
+ **Note**
+ Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
+
+ Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell.
+
+ For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+
+11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
+
+12. Click **OK** three times to save your changes.
diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md
new file mode 100644
index 0000000000..0784a64b85
--- /dev/null
+++ b/windows/keep-secure/configure-the-windows-firewall-log.md
@@ -0,0 +1,53 @@
+---
+title: Configure the Windows Firewall Log (Windows 10)
+description: Configure the Windows Firewall Log
+ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+
+author: brianlic-msft
+---
+
+# Configure the Windows Firewall Log
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+In this topic:
+
+- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log)
+
+## To configure the Windows Firewall log
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+
+3. For each network location type (Domain, Private, Public), perform the following steps.
+
+ 1. Click the tab that corresponds to the network location type.
+
+ 2. Under **Logging**, click **Customize**.
+
+ 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
+
+ >**Important:** The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
+
+ 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
+
+ 5. No logging occurs until you set one of following two options:
+
+ - To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
+
+ - To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
+
+ 6. Click **OK** twice.
diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
new file mode 100644
index 0000000000..89b5eb68e9
--- /dev/null
+++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
@@ -0,0 +1,48 @@
+---
+title: Configure the Workstation Authentication Certificate Template (Windows 10)
+description: Configure the Workstation Authentication Certificate Template
+ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure the Workstation Authentication Certificate Template
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
+
+**Administrative credentials**
+
+## To configure the workstation authentication certificate template and autoenrollment
+To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group.
+
+
+1. On the device where AD CS is installed, open the Certification Authority console.
+
+2. In the navigation pane, right-click **Certificate Templates**, and then click **Manage**.
+
+3. In the details pane, click the **Workstation Authentication** template.
+
+4. On the **Action** menu, click **Duplicate Template**. In the **Duplicate Template** dialog box, select the template version that is appropriate for your deployment, and then click **OK**. For the resulting certificates to have maximum compatibility with the available versions of Windows, we recommended that you select **Windows Server 2003**.
+
+5. On the **General** tab, in **Template display name**, type a new name for the certificate template, such as **Domain Isolation Workstation Authentication Template**.
+
+6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**.
+
+7. Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
+
+8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
+
+ >**Note:** If you want do not want to deploy the certificate to every device in the domain, then specify a different group or groups that contain the device accounts that you want to receive the certificate.
+
+9. Close the Certificate Templates Console.
+
+10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
+
+11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**.
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
index 72c2a16a9b..b52b5f6c57 100644
--- a/windows/keep-secure/configure-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md
@@ -2,7 +2,7 @@
title: Configure Windows Defender in Windows 10 (Windows 10)
description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
new file mode 100644
index 0000000000..b4990058e6
--- /dev/null
+++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -0,0 +1,46 @@
+---
+title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10)
+description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
+ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
+
+>**Caution:** If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
+
+We recommend that you do not enable these settings until you have created and tested the required rules.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+
+3. For each network location type (Domain, Private, Public), perform the following steps.
+
+ 1. Click the tab that corresponds to the network location type.
+
+ 2. Under **Settings**, click **Customize**.
+
+ 3. Under **Firewall settings**, change **Display a notification** to **No**.
+
+ 4. Under **Rule merging**, change **Apply local firewall rules** to **No**.
+
+ 5. Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**.
+
+ 6. Click **OK** twice.
diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
new file mode 100644
index 0000000000..0423277e45
--- /dev/null
+++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
@@ -0,0 +1,48 @@
+---
+title: Confirm That Certificates Are Deployed Correctly (Windows 10)
+description: Confirm That Certificates Are Deployed Correctly
+ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: securit
+author: brianlic-msft
+---
+
+# Confirm That Certificates Are Deployed Correctly
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
+
+In these procedures, you refresh Group Policy on a client device, and then confirm that the certificate is deployed correctly.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+In this topic:
+
+- [Refresh Group Policy on a device](#to-refresh-group-policy-on-a-device)
+
+- [Verify that a certificate is installed](#to-verify-that-a-certificate-is-installed)
+
+## To refresh Group Policy on a device
+
+ From an elevated command prompt, run the following command:
+
+``` syntax
+gpupdate /target:computer /force
+```
+
+After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
+
+## To verify that a certificate is installed
+
+1. Open the Cerificates console.
+
+2. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates**.
+
+ The CA that you created appears in the list.
diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
new file mode 100644
index 0000000000..694250fe3b
--- /dev/null
+++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
@@ -0,0 +1,50 @@
+---
+title: Copy a GPO to Create a New GPO (Windows 10)
+description: Copy a GPO to Create a New GPO
+ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Copy a GPO to Create a New GPO
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs.
+
+**To make a copy of a GPO**
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**.
+
+3. In the details pane, right-click the GPO you want to copy, and then click **Copy**.
+
+4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**.
+
+5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler.
+
+6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*.
+
+7. To rename it, right-click the GPO, and then click **Rename**.
+
+8. Type the new name, and then press ENTER.
+
+9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**.
+
+10. In the confirmation dialog box, click **OK**.
+
+11. Click **Add**.
+
+12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**.
+
+13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO.
diff --git a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md
index cdd372d271..69742a74b0 100644
--- a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -2,7 +2,7 @@
title: Create a basic audit policy for an event category (Windows 10)
description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md
new file mode 100644
index 0000000000..6aeb64d983
--- /dev/null
+++ b/windows/keep-secure/create-a-group-account-in-active-directory.md
@@ -0,0 +1,42 @@
+---
+title: Create a Group Account in Active Directory (Windows 10)
+description: Create a Group Account in Active Directory
+ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create a Group Account in Active Directory
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new group accounts.
+
+**To add a new membership group in Active Directory**
+
+1. Open the Active Directory Users and Computers console.
+
+2. In the navigation pane, select the container in which you want to store your group. This is typically the **Users** container under the domain.
+
+3. Click **Action**, click **New**, and then click **Group**.
+
+4. In the **Group name** text box, type the name for your new group.
+
+ >**Note:** Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups.
+
+5. In the **Description** text box, enter a description of the purpose of this group.
+
+6. In the **Group scope** section, select either **Global** or **Universal**, depending on your Active Directory forest structure. If your group must include computers from multiple domains, then select **Universal**. If all of the members are from the same domain, then select **Global**.
+
+7. In the **Group type** section, click **Security**.
+
+8. Click **OK** to save your group.
diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md
new file mode 100644
index 0000000000..42a0e5ae62
--- /dev/null
+++ b/windows/keep-secure/create-a-group-policy-object.md
@@ -0,0 +1,44 @@
+---
+title: Create a Group Policy Object (Windows 10)
+description: Create a Group Policy Object
+ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create a Group Policy Object
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs.
+
+To create a new GPO
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**.
+
+3. Click **Action**, and then click **New**.
+
+4. In the **Name** text box, type the name for your new GPO.
+
+ >**Note:** Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
+
+5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**.
+
+6. If your GPO will not contain any user settings, then you can improve performance by disabling the **User Configuration** section of the GPO. To do this, perform these steps:
+
+ 1. In the navigation pane, click the new GPO.
+
+ 2. In the details pane, click the **Details** tab.
+
+ 3. Change the **GPO Status** to **User configuration settings disabled**.
diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md
index c914d790aa..a8c65abbab 100644
--- a/windows/keep-secure/create-a-pagefile.md
+++ b/windows/keep-secure/create-a-pagefile.md
@@ -2,7 +2,7 @@
title: Create a pagefile (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-a-rule-for-packaged-apps.md b/windows/keep-secure/create-a-rule-for-packaged-apps.md
index 3909260775..f0ed699e79 100644
--- a/windows/keep-secure/create-a-rule-for-packaged-apps.md
+++ b/windows/keep-secure/create-a-rule-for-packaged-apps.md
@@ -2,7 +2,7 @@
title: Create a rule for packaged apps (Windows 10)
description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md
index 261eea052b..4a1038f165 100644
--- a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md
@@ -2,7 +2,7 @@
title: Create a rule that uses a file hash condition (Windows 10)
description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md
index 8553577fac..89a34500cd 100644
--- a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md
@@ -2,7 +2,7 @@
title: Create a rule that uses a path condition (Windows 10)
description: This topic for IT professionals shows how to create an AppLocker rule with a path condition.
ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md
index 11ceca1e52..214dca0f70 100644
--- a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md
@@ -2,7 +2,7 @@
title: Create a rule that uses a publisher condition (Windows 10)
description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-a-token-object.md b/windows/keep-secure/create-a-token-object.md
index 99055b694f..8decf358bf 100644
--- a/windows/keep-secure/create-a-token-object.md
+++ b/windows/keep-secure/create-a-token-object.md
@@ -2,7 +2,7 @@
title: Create a token object (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting.
ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule.md b/windows/keep-secure/create-an-authentication-exemption-list-rule.md
new file mode 100644
index 0000000000..b0a4ec1118
--- /dev/null
+++ b/windows/keep-secure/create-an-authentication-exemption-list-rule.md
@@ -0,0 +1,63 @@
+---
+title: Create an Authentication Exemption List Rule (Windows 10)
+description: Create an Authentication Exemption List Rule
+ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create an Authentication Exemption List Rule
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
+
+**Important**
+Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
+
+
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To create a rule that exempts specified hosts from authentication**
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Connection Security Rules**.
+
+3. Click **Action**, and then click **New Rule**.
+
+4. On the **Rule Type** page of the New Connection Security Rule Wizard, click **Authentication exemption**, and then click **Next**.
+
+5. On the **Exempt Computers** page, to create a new exemption, click **Add**. To modify an existing exemption, click it, and then click **Edit**.
+
+6. In the **IP Address** dialog box, do one of the following:
+
+ - To add a single IP address, click **This IP address or subnet**, type the IP address of the host in the text box, and then click **OK**.
+
+ - To add an entire subnet by address, click **This IP address or subnet**, and then type the IP address of the subnet, followed by a forward slash (/) and the number of bits in the corresponding subnet mask. For example, **10.50.0.0/16** represents the class B subnet that begins with address 10.50.0.1, and ends with address **10.50.255.254**. Click **OK** when you are finished.
+
+ - To add the local device’s subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**.
+
+ >**Note:** If you select the local subnet from the list rather than typing the subnet address in manually, the device automatically adjusts the active local subnet to match the device’s current IP address.
+
+ - To add a discrete range of addresses that do not correspond to a subnet, click **This IP address range**, type the beginning and ending IP addresses in the **From** and **To** text boxes, and then click **OK**.
+
+ - To exempt all of the remote hosts that the local device uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**.
+
+7. Repeat steps 5 and 6 for each exemption that you need to create.
+
+8. Click **Next** when you have created all of the exemptions.
+
+9. On the **Profile** page, check the profile for each network location type to which this set of exemptions applies, and then click **Next**.
+
+ >**Caution:** If all of the exemptions are on the organization’s network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate.
+
+10. On the **Name** page, type the name of the exemption rule, type a description, and then click **Finish**.
diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/keep-secure/create-an-authentication-request-rule.md
new file mode 100644
index 0000000000..1c947f68f9
--- /dev/null
+++ b/windows/keep-secure/create-an-authentication-request-rule.md
@@ -0,0 +1,84 @@
+---
+title: Create an Authentication Request Rule (Windows 10)
+description: Create an Authentication Request Rule
+ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create an Authentication Request Rule
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+To create the authentication request rule
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**.
+
+3. On the **Rule Type** page, select **Isolation**, and then click **Next**.
+
+4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**.
+
+ >**Caution:** Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
+
+5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
+
+ 1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure.
+
+ 2. **Computer and User (Kerberos V5)**. Selecting this option tells the device to request authentication of both the device and the currently logged-on user by using their domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+ 3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
+
+ 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
+
+ The **First authentication method** can be one of the following:
+
+ - **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
+
+ - **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+ - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
+
+ - **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only.
+
+ If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
+
+ The **Second authentication method** can be one of the following:
+
+ - **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+ - **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1.
+
+ - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups.
+
+ - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
+
+ If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails.
+
+ >**Important:** Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
+
+6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
+
+7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
+
+ - On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network.
+
+ - On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
+
+ Click **Next**.
+
+8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
+
+ The new rule appears in the list of connection security rules.
diff --git a/windows/keep-secure/create-an-inbound-icmp-rule.md b/windows/keep-secure/create-an-inbound-icmp-rule.md
new file mode 100644
index 0000000000..f76bba3007
--- /dev/null
+++ b/windows/keep-secure/create-an-inbound-icmp-rule.md
@@ -0,0 +1,62 @@
+---
+title: Create an Inbound ICMP Rule (Windows 10)
+description: Create an Inbound ICMP Rule
+ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create an Inbound ICMP Rule
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see:
+
+- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
+
+- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
+
+To create an inbound ICMP rule
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Inbound Rules**.
+
+3. Click **Action**, and then click **New rule**.
+
+4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
+
+5. On the **Program** page, click **All programs**, and then click **Next**.
+
+6. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each.
+
+7. Click **Customize**.
+
+8. In the **Customize ICMP Settings** dialog box, do one of the following:
+
+ - To allow all ICMP network traffic, click **All ICMP types**, and then click **OK**.
+
+ - To select one of the predefined ICMP types, click **Specific ICMP types**, and then select each type in the list that you want to allow. Click **OK**.
+
+ - To select an ICMP type that does not appear in the list, click **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, click **Add**, and then select the newly created entry from the list. Click **OK**
+
+9. Click **Next**.
+
+10. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
+
+11. On the **Action** page, select **Allow the connection**, and then click **Next**.
+
+12. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
+
+13. On the **Name** page, type a name and description for your rule, and then click **Finish**.
diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/keep-secure/create-an-inbound-port-rule.md
new file mode 100644
index 0000000000..e2a911293f
--- /dev/null
+++ b/windows/keep-secure/create-an-inbound-port-rule.md
@@ -0,0 +1,62 @@
+---
+title: Create an Inbound Port Rule (Windows 10)
+description: Create an Inbound Port Rule
+ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create an Inbound Port Rule
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see:
+
+- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
+
+- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
+
+**To create an inbound port rule**
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Inbound Rules**.
+
+3. Click **Action**, and then click **New rule**.
+
+4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
+
+ >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+
+5. On the **Program** page, click **All programs**, and then click **Next**.
+
+ >**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
+
+6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number.
+
+ If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.
+
+ To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
+
+ When you have configured the protocols and ports, click **Next**.
+
+7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
+
+8. On the **Action** page, select **Allow the connection**, and then click **Next**.
+
+9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
+
+ >**Note:** If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type.
+
+10. On the **Name** page, type a name and description for your rule, and then click **Finish**.
diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule.md b/windows/keep-secure/create-an-inbound-program-or-service-rule.md
new file mode 100644
index 0000000000..51524c047d
--- /dev/null
+++ b/windows/keep-secure/create-an-inbound-program-or-service-rule.md
@@ -0,0 +1,71 @@
+---
+title: Create an Inbound Program or Service Rule (Windows 10)
+description: Create an Inbound Program or Service Rule
+ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create an Inbound Program or Service Rule
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
+
+>**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+To create an inbound firewall rule for a program or service
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Inbound Rules**.
+
+3. Click **Action**, and then click **New rule**.
+
+4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
+
+ >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+
+5. On the **Program** page, click **This program path**.
+
+6. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
+
+7. Do one of the following:
+
+ - If the executable file contains a single program, click **Next**.
+
+ - If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**.
+
+ - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, click **Apply to service with this service short name**, and then type the short name for the service in the text box. Click **OK**, and then click **Next**.
+
+ **Important**
+ To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command:
+
+ **sc** **qsidtype** *<ServiceName>*
+
+ If the result is **NONE**, then a firewall rule cannot be applied to that service.
+
+ To set a SID type on a service, run the following command:
+
+ **sc** **sidtype** *<Type> <ServiceName>*
+
+ In the preceding command, the value of *<Type>* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**.
+
+8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**.
+
+9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
+
+10. On the **Action** page, select **Allow the connection**, and then click **Next**.
+
+11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
+
+12. On the **Name** page, type a name and description for your rule, and then click **Finish**.
diff --git a/windows/keep-secure/create-an-outbound-port-rule.md b/windows/keep-secure/create-an-outbound-port-rule.md
new file mode 100644
index 0000000000..98c85d581c
--- /dev/null
+++ b/windows/keep-secure/create-an-outbound-port-rule.md
@@ -0,0 +1,52 @@
+---
+title: Create an Outbound Port Rule (Windows 10)
+description: Create an Outbound Port Rule
+ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create an Outbound Port Rule
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+To create an outbound port rule
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Outbound Rules**.
+
+3. Click **Action**, and then click **New rule**.
+
+4. On the **Rule Type** page of the New Outbound Rule wizard, click **Custom**, and then click **Next**.
+
+ >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+
+5. On the **Program** page, click **All programs**, and then click **Next**.
+
+6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number.
+
+ If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it.
+
+ To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
+
+ When you have configured the protocols and ports, click **Next**.
+
+7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
+
+8. On the **Action** page, select **Block the connection**, and then click **Next**.
+
+9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
+
+10. On the **Name** page, type a name and description for your rule, and then click **Finish**.
diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule.md b/windows/keep-secure/create-an-outbound-program-or-service-rule.md
new file mode 100644
index 0000000000..342e863ffd
--- /dev/null
+++ b/windows/keep-secure/create-an-outbound-program-or-service-rule.md
@@ -0,0 +1,56 @@
+---
+title: Create an Outbound Program or Service Rule (Windows 10)
+description: Create an Outbound Program or Service Rule
+ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create an Outbound Program or Service Rule
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+To create an outbound firewall rule for a program or service
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Outbound Rules**.
+
+3. Click **Action**, and then click **New rule**.
+
+4. On the **Rule Type** page of the New Outbound Rule Wizard, click **Custom**, and then click **Next**.
+
+ >**Note:** Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+
+5. On the **Program** page, click **This program path**.
+
+6. Type the path to the program in the text box. Use environment variables as appropriate to ensure that programs installed in different locations on different computers work correctly.
+
+7. Do one of the following:
+
+ - If the executable file contains a single program, click **Next**.
+
+ - If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**.
+
+ - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**.
+
+8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](create-an-outbound-port-rule.md). When you have configured the protocol and port options, click **Next**.
+
+9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
+
+10. On the **Action** page, select **Block the connection**, and then click **Next**.
+
+11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
+
+12. On the **Name** page, type a name and description for your rule, and then click **Finish**.
diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md
index eb37fb2112..930d2bc4d7 100644
--- a/windows/keep-secure/create-applocker-default-rules.md
+++ b/windows/keep-secure/create-applocker-default-rules.md
@@ -2,7 +2,7 @@
title: Create AppLocker default rules (Windows 10)
description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md
index e2dab16028..194bdc40b7 100644
--- a/windows/keep-secure/create-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-edp-policy-using-intune.md
@@ -2,9 +2,10 @@
title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
@@ -18,6 +19,9 @@ author: eross-msft
Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+## Important note about the June service update
+We've received some great feedback from you, our Windows 10 Insider Preview customers, about our enterprise data protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing enterprise data protection policy after we release the June service update in your test environment, your existing Windows 10 enterprise data protection app rules (formerly in the **Protected Apps** area) will be removed.
To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing enterprise data protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
+
## Add an EDP policy
After you’ve installed and set up Intune for your organization, you must create an EDP-specific policy.
@@ -37,9 +41,9 @@ During the policy-creation process in Intune, you can choose the apps you want t
The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Desktop app, also known as a Classic Windows application.
-**Important** EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
-
-**Note** If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
+>**Important** EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
+
+>**Note** If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
**To add a UWP app**
@@ -49,8 +53,9 @@ The steps to add your apps are based on the type of app it is; either a Universa
**To find the Publisher and Product name values for Microsoft Store apps without installing them**
- 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
- **Note** If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
+ 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+
+ >**Note** If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@@ -77,7 +82,8 @@ The steps to add your apps are based on the type of app it is; either a Universa
**To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
-
**Note** Your PC and phone must be on the same wireless network.
+
+ >**Note** Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -92,7 +98,8 @@ The steps to add your apps are based on the type of app it is; either a Universa
7. Start the app for which you're looking for the publisher and product name values
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
**Important** The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+
+ >**Important** The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
``` json
{
@@ -238,11 +245,11 @@ If you have multiple domains, you must separate them with the "|" character. For
## Choose where apps can access enterprise data
-After you've added a protection level to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
-**Important**
-- Every EDP policy should include policy that defines your enterprise network locations.
+After you've added a protection level to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
+>**Important**
+- Every EDP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
**To specify where your protected apps can find and send enterprise data on the network**
diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md
index 9e4288873e..fa412028a7 100644
--- a/windows/keep-secure/create-edp-policy-using-sccm.md
+++ b/windows/keep-secure/create-edp-policy-using-sccm.md
@@ -2,10 +2,11 @@
title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
-keywords: ["EDP", "Enterprise Data Protection", "SCCM", "System Center Configuration Manager", Configuration Manager"]
-ms.prod: W10
+keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/create-global-objects.md b/windows/keep-secure/create-global-objects.md
index 1f047ee451..c131685bec 100644
--- a/windows/keep-secure/create-global-objects.md
+++ b/windows/keep-secure/create-global-objects.md
@@ -2,7 +2,7 @@
title: Create global objects (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting.
ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc.md b/windows/keep-secure/create-inbound-rules-to-support-rpc.md
new file mode 100644
index 0000000000..0ba04d529e
--- /dev/null
+++ b/windows/keep-secure/create-inbound-rules-to-support-rpc.md
@@ -0,0 +1,89 @@
+---
+title: Create Inbound Rules to Support RPC (Windows 10)
+description: Create Inbound Rules to Support RPC
+ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create Inbound Rules to Support RPC
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see:
+
+- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
+
+- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
+
+In this topic:
+
+- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#to-create-a-rule-to-allow-inbound-network-traffic-to-the-rpc-endpoint-mapper-service)
+
+- [To create a rule to allow inbound network traffic to RPC-enabled network services](#to-create-a-rule-to-allow-inbound-network-traffic-to-rpc-enabled-network-services)
+
+## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Inbound Rules**.
+
+3. Click **Action**, and then click **New rule**.
+
+4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
+
+5. On the **Program** page, click **This Program Path**, and then type **%systemroot%\\system32\\svchost.exe**.
+
+6. Click **Customize**.
+
+7. In the **Customize Service Settings** dialog box, click **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, click **OK**, and then click **Next**.
+
+8. On the warning about Windows service-hardening rules, click **Yes**.
+
+9. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
+
+10. For **Local port**, select **RPC Endpoint Mapper**, and then click **Next**.
+
+11. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
+
+12. On the **Action** page, select **Allow the connection**, and then click **Next**.
+
+13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
+
+14. On the **Name** page, type a name and description for your rule, and then click **Finish**.
+
+
+## To create a rule to allow inbound network traffic to RPC-enabled network services
+
+1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**.
+
+2. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
+
+3. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**.
+
+4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service does not appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box.
+
+5. Click **OK**, and then click **Next**.
+
+6. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
+
+7. For **Local port**, select **RPC Dynamic Ports**, and then click **Next**.
+
+8. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
+
+9. On the **Action** page, select **Allow the connection**, and then click **Next**.
+
+10. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
+
+11. On the **Name** page, type a name and description for your rule, and then click **Finish**.
diff --git a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md
index 074fababfc..c623dd725f 100644
--- a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md
@@ -2,7 +2,7 @@
title: Create a list of apps deployed to each business group (Windows 10)
description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-permanent-shared-objects.md b/windows/keep-secure/create-permanent-shared-objects.md
index 33ab226516..bcc0896951 100644
--- a/windows/keep-secure/create-permanent-shared-objects.md
+++ b/windows/keep-secure/create-permanent-shared-objects.md
@@ -2,7 +2,7 @@
title: Create permanent shared objects (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting.
ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-symbolic-links.md b/windows/keep-secure/create-symbolic-links.md
index 857a5a7ca9..994d8de789 100644
--- a/windows/keep-secure/create-symbolic-links.md
+++ b/windows/keep-secure/create-symbolic-links.md
@@ -2,7 +2,7 @@
title: Create symbolic links (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting.
ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
index 16034ac23d..760968b092 100644
--- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
@@ -2,10 +2,11 @@
title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10)
description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
-keywords: ["EDP", "Enterprise Data Protection"]
-ms.prod: W10
+keywords: EDP, Enterprise Data Protection
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md
new file mode 100644
index 0000000000..f4b066d3e1
--- /dev/null
+++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md
@@ -0,0 +1,94 @@
+---
+title: Create WMI Filters for the GPO (Windows 10)
+description: Create WMI Filters for the GPO
+ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Create WMI Filters for the GPO
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
+
+- [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows)
+
+- [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo)
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+First, create the WMI filter and configure it to look for a specified version (or versions) of the Windows operating system.
+
+## To create a WMI filter that queries for a specified version of Windows
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**.
+
+3. Click **Action**, and then click **New**.
+
+4. In the **Name** text box, type the name of the WMI filter.
+
+ >**Note:** Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.
+
+5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description.
+
+6. Click **Add**.
+
+7. Leave the **Namespace** value set to **root\\CIMv2**.
+
+8. In the **Query** text box, type:
+
+ ``` syntax
+ select * from Win32_OperatingSystem where Version like "6.%"
+ ```
+
+ This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". To specify multiple versions, combine them with or, as shown in the following:
+
+ ``` syntax
+ ... where Version like "6.1%" or Version like "6.2%"
+ ```
+
+ To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
+
+ The following clause returns **true** for all devices that are not domain controllers:
+
+ ``` syntax
+ ... where ProductType="1" or ProductType="3"
+ ```
+
+ The following complete query returns **true** for all devices running Windows 8, and returns **false** for any server operating system or any other client operating system.
+
+ ``` syntax
+ select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1"
+ ```
+
+ The following query returns **true** for any device running Windows Server 2012, except domain controllers:
+
+ ``` syntax
+ select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="3"
+ ```
+
+9. Click **OK** to save the query to the filter.
+
+10. Click **Save** to save your completed filter.
+
+## To link a WMI filter to a GPO
+
+After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.
+
+1. Open theGroup Policy Management console.
+
+2. In the navigation pane, find and then click the GPO that you want to modify.
+
+3. Under **WMI Filtering**, select the correct WMI filter from the list.
+
+4. Click **Yes** to accept the filter.
diff --git a/windows/keep-secure/create-your-applocker-planning-document.md b/windows/keep-secure/create-your-applocker-planning-document.md
index 263be36d5e..f2b23f5937 100644
--- a/windows/keep-secure/create-your-applocker-planning-document.md
+++ b/windows/keep-secure/create-your-applocker-planning-document.md
@@ -2,7 +2,7 @@
title: Create your AppLocker planning document (Windows 10)
description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.
ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-your-applocker-policies.md b/windows/keep-secure/create-your-applocker-policies.md
index b7a23cc02d..e4ecc44cee 100644
--- a/windows/keep-secure/create-your-applocker-policies.md
+++ b/windows/keep-secure/create-your-applocker-policies.md
@@ -2,7 +2,7 @@
title: Create Your AppLocker policies (Windows 10)
description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/create-your-applocker-rules.md b/windows/keep-secure/create-your-applocker-rules.md
index ee0590e89b..8bcb7daf24 100644
--- a/windows/keep-secure/create-your-applocker-rules.md
+++ b/windows/keep-secure/create-your-applocker-rules.md
@@ -2,7 +2,7 @@
title: Create Your AppLocker rules (Windows 10)
description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
ms.assetid: b684a3a5-929c-4f70-8742-04088022f232
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
index ee2f72275b..a1b2db57b3 100644
--- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
+++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
@@ -2,7 +2,7 @@
title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 45c0237c18..1202cb6ae3 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -2,7 +2,7 @@
title: Protect derived domain credentials with Credential Guard (Windows 10)
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -239,6 +239,10 @@ You can use System Information to ensure that Credential Guard is running on a P
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password.
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+
+### Kerberos Considerations
+
+When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
## Scenarios not protected by Credential Guard
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index aa142cc631..07afd4227c 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,11 @@ title: View the Windows Defender Advanced Threat Protection Dashboard
description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
---
# View the Windows Defender Advanced Threat Protection Dashboard
diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
index 1286313495..a5d2bec8ce 100644
--- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,11 @@ title: Windows Defender ATP data storage and privacy
description: Learn about how Windows Defender ATP handles privacy and data that it collects.
keywords: Windows Defender ATP data storage and privacy, storage, privacy
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
---
# Windows Defender ATP data storage and privacy
diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 6fe17f05af..99fd9c7f66 100644
--- a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -2,7 +2,7 @@
title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10)
description: Describes the best practices, location, values, and security considerations for the DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting.
ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index d4c42764a5..6b5d3ee2c2 100644
--- a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -2,7 +2,7 @@
title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10)
description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.
ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/debug-programs.md b/windows/keep-secure/debug-programs.md
index 4b133fd251..810c6a21b5 100644
--- a/windows/keep-secure/debug-programs.md
+++ b/windows/keep-secure/debug-programs.md
@@ -2,7 +2,7 @@
title: Debug programs (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting.
ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/delete-an-applocker-rule.md b/windows/keep-secure/delete-an-applocker-rule.md
index ad342ee6cf..3d4888fb73 100644
--- a/windows/keep-secure/delete-an-applocker-rule.md
+++ b/windows/keep-secure/delete-an-applocker-rule.md
@@ -2,7 +2,7 @@
title: Delete an AppLocker rule (Windows 10)
description: This topic for IT professionals describes the steps to delete an AppLocker rule.
ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md
index df4e48dc46..fbad5a0ca8 100644
--- a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md
+++ b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md
@@ -2,7 +2,7 @@
title: Deny access to this computer from the network (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting.
ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/keep-secure/deny-log-on-as-a-batch-job.md
index d3abeeb6d5..5edb8ca898 100644
--- a/windows/keep-secure/deny-log-on-as-a-batch-job.md
+++ b/windows/keep-secure/deny-log-on-as-a-batch-job.md
@@ -2,7 +2,7 @@
title: Deny log on as a batch job (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting.
ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/keep-secure/deny-log-on-as-a-service.md
index 8fa66ee734..7acdea2a4c 100644
--- a/windows/keep-secure/deny-log-on-as-a-service.md
+++ b/windows/keep-secure/deny-log-on-as-a-service.md
@@ -2,7 +2,7 @@
title: Deny log on as a service (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting.
ms.assetid: f1114964-df86-4278-9b11-e35c66949794
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/keep-secure/deny-log-on-locally.md
index 916d358f89..cd84f05560 100644
--- a/windows/keep-secure/deny-log-on-locally.md
+++ b/windows/keep-secure/deny-log-on-locally.md
@@ -2,7 +2,7 @@
title: Deny log on locally (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting.
ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md
index 6877912bae..8e5065b443 100644
--- a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md
+++ b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md
@@ -2,7 +2,7 @@
title: Deny log on through Remote Desktop Services (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting.
ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index cfd595104f..b5ecdf6702 100644
--- a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -2,34 +2,54 @@
title: Deploy AppLocker policies by using the enforce rules setting (Windows 10)
description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
+
# Deploy AppLocker policies by using the enforce rules setting
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
+
## Background and prerequisites
+
These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
+
For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md).
+
For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+
## Step 1: Retrieve the AppLocker policy
+
Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
## Step 2: Alter the enforcement setting
+
Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
## Step 3: Update the policy
-You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the Microsoft Desktop Optimization Pack.
-**Caution**
-You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the
+Microsoft Desktop Optimization Pack.
+
+>**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
## Step 4: Monitor the effect of the policy
+
When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
+
## Additional resources
+
- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md
index 6893478523..7b23a44cf2 100644
--- a/windows/keep-secure/deploy-edp-policy-using-intune.md
+++ b/windows/keep-secure/deploy-edp-policy-using-intune.md
@@ -2,10 +2,11 @@
title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
-keywords: ["EDP", "Enterprise Data Protection", "Intune"]
-ms.prod: W10
+keywords: EDP, Enterprise Data Protection, Intune
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/deploy-the-applocker-policy-into-production.md b/windows/keep-secure/deploy-the-applocker-policy-into-production.md
index 32e3cd0d65..e56061213f 100644
--- a/windows/keep-secure/deploy-the-applocker-policy-into-production.md
+++ b/windows/keep-secure/deploy-the-applocker-policy-into-production.md
@@ -2,7 +2,7 @@
title: Deploy the AppLocker policy into production (Windows 10)
description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
new file mode 100644
index 0000000000..144252b206
--- /dev/null
+++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -0,0 +1,47 @@
+---
+title: Designing a Windows Firewall with Advanced Security Strategy (Windows 10)
+description: Designing a Windows Firewall with Advanced Security Strategy
+ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Designing a Windows Firewall with Advanced Security Strategy
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.
+
+- [Gathering the Information You Need](gathering-the-information-you-need.md)
+
+- [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
+
+The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design.
+
+- What traffic must always be allowed? What are characteristics of the network traffic generated and consumed by the business programs?
+
+- What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs?
+
+- What traffic on the network cannot be protected by IPsec because the devices or devices sending or receiving the traffic do not support IPsec?
+
+- For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required?
+
+- Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use.
+
+- Which devices must be able to accept unsolicited inbound connections from devices that are not part of the domain?
+
+- Which devices contain data that must be encrypted when exchanged with another computer?
+
+- Which devices contain sensitive data to which access must be restricted to specifically authorized users and devices?
+
+- Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall?
+
+
+This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
+
+**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)
diff --git a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md
index 5733fd532e..1544475c03 100644
--- a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md
@@ -2,7 +2,7 @@
title: Determine the Group Policy structure and rule enforcement (Windows 10)
description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index a02d55ecc7..ccf2483c4d 100644
--- a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -2,7 +2,7 @@
title: Determine which apps are digitally signed on a reference device (Windows 10)
description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/determine-your-application-control-objectives.md b/windows/keep-secure/determine-your-application-control-objectives.md
index 65098f5d72..a74a000710 100644
--- a/windows/keep-secure/determine-your-application-control-objectives.md
+++ b/windows/keep-secure/determine-your-application-control-objectives.md
@@ -2,7 +2,7 @@
title: Determine your application control objectives (Windows 10)
description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md
new file mode 100644
index 0000000000..8bbd75608d
--- /dev/null
+++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md
@@ -0,0 +1,139 @@
+---
+title: Determining the Trusted State of Your Devices (Windows 10)
+description: Determining the Trusted State of Your Devices
+ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Determining the Trusted State of Your Devices
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status.
+
+>**Note:** In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk.
+
+## Trust states
+
+
+To understand this concept, consider the four basic states that apply to devices in a typical IT infrastructure. These states are (in order of risk, lowest risk first):
+
+- Trusted
+
+- Trustworthy
+
+- Known, untrusted
+
+- Unknown, untrusted
+
+The remainder of this section defines these states and how to determine which devices in your organization belong in each state.
+
+### Trusted state
+
+Classifying a device as trusted means that the device's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network.
+
+When a device is considered trusted, other trusted devices can reasonably assume that the device will not initiate a malicious act. For example, trusted devices can expect that other trusted devices will not run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses.
+
+Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status.
+
+A possible list of technology requirements might include the following:
+
+- **Operating system.** A trusted client device should run at least Windows Vista. A trusted server should run at least Windows Server 2008.
+
+- **Domain membership.** A trusted device will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member devices by using Group Policy.
+
+- **Management client.** All trusted devices must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Configuration Manager is one such management system with an appropriate client.
+
+- **Antivirus software.** All trusted devices will run antivirus software that is configured to check for and automatically update the latest virus signature files daily.
+
+- **File system.** All trusted devices will be configured to use the NTFS file system.
+
+- **BIOS settings.** All trusted portable devices will be configured to use a BIOS-level password that is under the management of the IT support team.
+
+- **Password requirements.** Trusted clients must use strong passwords.
+
+It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status.
+
+A device that continues to meet all these security requirements can be considered trusted. However it is possible that most devices that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which devices can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications.
+
+### Trustworthy state
+
+It is useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes.
+
+For each device that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the device to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the device to the solution) and the support staff (to enable them to apply the required configuration).
+
+Generally, trustworthy devices fall into one of the following two groups:
+
+- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk does not meet this requirement.
+
+- **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require:
+
+ - **Operating system upgrade required.** If the device's current operating system cannot support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state.
+
+ - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active.
+
+ - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device.
+
+ - **Device replacement required.** This category is reserved for devices that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a device that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device).
+
+Use these groups to assign costs for implementing the solution on the devices that require upgrades.
+
+### Known, untrusted state
+
+During the process of categorizing an organization's devices, you will identify some devices that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types:
+
+- **Financial.** The funding is not available to upgrade the hardware or software for this device.
+
+- **Political.** The device must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation.
+
+- **Functional.** The device must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the device might be required to run an older operating system because a specific line of business application will only work on that operating system.
+
+There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state:
+
+- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported).
+
+- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually cannot achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device is not a part of a trusted domain.
+
+- **Devices in an untrusted domain.** A device that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when devices are not in a trusted domain.
+
+### Unknown, untrusted state
+
+The unknown, untrusted state should be considered the default state for all devices. Because devices in this state have a configuration that is unknown, you can assign no trust to them. All planning for devices in this state must assume that the device is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the devices in this state can have on their organizations.
+
+## Capturing upgrade costs for current devices
+
+
+The final step in this part of the process is to record the approximate cost of upgrading the devices to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions:
+
+- Does the device meet the minimum hardware requirements necessary for isolation?
+
+- Does the device meet the minimum software requirements necessary for isolation?
+
+- What configuration changes must be made to integrate this device into the isolation solution?
+
+- What is the projected cost or impact of making the proposed changes to enable the device to achieve a trusted state?
+
+By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It is important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses.
+
+The following table is an example of a data sheet that you could use to help capture the current state of a device and what would be required for the device to achieve a trusted state.
+
+| Device name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost |
+| - | - | - | - | - | - |
+| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware is not compatible with newer versions of Windows.| $??|
+| SERVER001 | Yes| No| Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.| No antivirus software present.| $??|
+
+In the previous table, the device CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many devices require the same upgrades, the overall cost of the solution would be much higher.
+
+The device SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs.
+
+With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
+
+The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
+
+**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md
index 9edecd273d..6ac463047e 100644
--- a/windows/keep-secure/device-guard-certification-and-compliance.md
+++ b/windows/keep-secure/device-guard-certification-and-compliance.md
@@ -3,7 +3,7 @@ title: Device Guard certification and compliance (Windows 10)
description: Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
ms.assetid: 94167ECA-AB08-431D-95E5-7A363F42C7E3
ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md
index 3d9a53be0e..f98d7216ea 100644
--- a/windows/keep-secure/device-guard-deployment-guide.md
+++ b/windows/keep-secure/device-guard-deployment-guide.md
@@ -3,9 +3,9 @@ title: Device Guard deployment guide (Windows 10)
description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
keywords: virtualization, security, malware
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
-ms.pagetype: devices
+ms.pagetype: security, devices
author: challum
---
diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md
index 0d237c5cd4..d8f1d31192 100644
--- a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md
@@ -2,7 +2,7 @@
title: Devices Allow undock without having to log on (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting.
ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md
index 9c9a232738..bffc76a5e9 100644
--- a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md
@@ -2,7 +2,7 @@
title: Devices Allowed to format and eject removable media (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting.
ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md
index c71b4b04d5..0bf0ba89a9 100644
--- a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md
@@ -2,7 +2,7 @@
title: Devices Prevent users from installing printer drivers (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting.
ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index e42ea9042c..5e399e075e 100644
--- a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -2,7 +2,7 @@
title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting.
ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
index 3246e36da5..1716725907 100644
--- a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+++ b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -2,7 +2,7 @@
title: Devices Restrict floppy access to locally logged-on user only (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting.
ms.assetid: 92997910-da95-4c03-ae6f-832915423898
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index 267ba483ac..85c56528b1 100644
--- a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -3,7 +3,7 @@ title: Display a custom URL message when users try to run a blocked app (Windows
description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85
ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
diff --git a/windows/keep-secure/dll-rules-in-applocker.md b/windows/keep-secure/dll-rules-in-applocker.md
index 4f99109b04..b6e4cd9e93 100644
--- a/windows/keep-secure/dll-rules-in-applocker.md
+++ b/windows/keep-secure/dll-rules-in-applocker.md
@@ -2,7 +2,7 @@
title: DLL rules in AppLocker (Windows 10)
description: This topic describes the file formats and available default rules for the DLL rule collection.
ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md
index f583b63513..72c1c10193 100644
--- a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -2,7 +2,7 @@
title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10)
description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
diff --git a/windows/keep-secure/document-your-application-control-management-processes.md b/windows/keep-secure/document-your-application-control-management-processes.md
index e0ef522601..6e2a75390d 100644
--- a/windows/keep-secure/document-your-application-control-management-processes.md
+++ b/windows/keep-secure/document-your-application-control-management-processes.md
@@ -2,7 +2,7 @@
title: Document your application control management processes (Windows 10)
description: This planning topic describes the AppLocker policy maintenance information to record for your design document.
ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/document-your-application-list.md b/windows/keep-secure/document-your-application-list.md
index c20e6831ad..735dc55515 100644
--- a/windows/keep-secure/document-your-application-list.md
+++ b/windows/keep-secure/document-your-application-list.md
@@ -2,7 +2,7 @@
title: Document your app list (Windows 10)
description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/document-your-applocker-rules.md b/windows/keep-secure/document-your-applocker-rules.md
index 5603fcefdc..68d32d07d7 100644
--- a/windows/keep-secure/document-your-applocker-rules.md
+++ b/windows/keep-secure/document-your-applocker-rules.md
@@ -2,7 +2,7 @@
title: Document your AppLocker rules (Windows 10)
description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md
new file mode 100644
index 0000000000..88e67e80c4
--- /dev/null
+++ b/windows/keep-secure/documenting-the-zones.md
@@ -0,0 +1,27 @@
+---
+title: Documenting the Zones (Windows 10)
+description: Documenting the Zones
+ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Documenting the Zones
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here:
+
+| Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group |
+| - | - | - | - | - | - |
+| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware not compatible with newer versions of Windows.| $??| Isolated domain|
+| SERVER002 | Yes| No| Join trusted domain, upgrade from Windows Server 2008 to at least Windows Server 2012| No antivirus software present.| $??| Encryption|
+| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)|
+| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary|
+
+**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md
index 73dd753654..feafcec116 100644
--- a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -2,7 +2,7 @@
title: Domain controller Allow server operators to schedule tasks (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
index 8f75f7faa7..10001b50e6 100644
--- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
@@ -2,7 +2,7 @@
title: Domain controller LDAP server signing requirements (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md
index 3d0dc98ace..563e0956a9 100644
--- a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md
@@ -2,7 +2,7 @@
title: Domain controller Refuse machine account password changes (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md
new file mode 100644
index 0000000000..2bfcf9cbc8
--- /dev/null
+++ b/windows/keep-secure/domain-isolation-policy-design-example.md
@@ -0,0 +1,58 @@
+---
+title: Domain Isolation Policy Design Example (Windows 10)
+description: Domain Isolation Policy Design Example
+ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Domain Isolation Policy Design Example
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.
+
+## Design Requirements
+
+In addition to the basic protection provided by the firewall rules in the previous design example, you might want to implement domain isolation to provide another layer of security to their networked devices. You can create firewall and connection security rules that use authentication to reduce the risk of communicating with untrusted and potentially hostile devices.
+
+The following illustration shows the traffic protection needed for this design example.
+
+
+
+1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule.
+
+2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which are not members of Woodgrove Bank's domain.
+
+3. Client devices can initiate non-authenticated outbound communications with devices that are not members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked.
+
+4. Devices in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain.
+
+**Other traffic notes:**
+
+- All of the design requirements described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced.
+
+## Design Details
+
+Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices on its network.
+
+Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs.
+
+The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, simply add the device's account in the appropriate group.
+
+- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO does not apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections.
+
+- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that cannot participate in domain isolation, such as a DHCP server running UNIX, is added to this group.
+
+- **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the devices that are part of the boundary group able to receive unsolicited inbound traffic from untrusted devices. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication.
+
+- **CG\_DOMISO\_ENCRYPTION**. This group contains the computer accounts for all the devices that require all inbound and outbound traffic to be both authenticated and encrypted. Members of the group receive a GPO that configures connection security and firewall rules to require both authentication and encryption on all inbound and outbound traffic.
+
+>**Note:** If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
+
+**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md
new file mode 100644
index 0000000000..da2564242b
--- /dev/null
+++ b/windows/keep-secure/domain-isolation-policy-design.md
@@ -0,0 +1,64 @@
+---
+title: Domain Isolation Policy Design (Windows 10)
+description: Domain Isolation Policy Design
+ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Domain Isolation Policy Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain.
+
+This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After implementing the new rules, your devices reject unsolicited network traffic from devices that are not members of the isolated domain.
+
+The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them.
+
+By using connection security rules based on IPsec, you provide a logical barrier between devices even if they are connected to the same physical network segment.
+
+The design is shown in the following illustration, with the arrows that show the permitted communication paths.
+
+
+
+Characteristics of this design, as shown in the diagram, include the following:
+
+- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This includes unauthenticated traffic to devices that are not in the isolated domain. Devices that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md).
+
+- Boundary zone (area B) - Devices in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted devices, such as clients on the Internet.
+
+ Devices in the boundary zone request but do not require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member the traffic is authenticated. When a device that is not part of the isolated domain communicates with a boundary zone member the traffic is not authenticated.
+
+ Because boundary zone devices are exposed to network traffic from untrusted and potentially hostile devices, they must be carefully managed and secured. Put only the devices that must be accessed by external devices in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member devices.
+
+- Trusted non-domain members (area C) - Devices on the network that are not domain members or that cannot use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices.
+
+- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices.
+
+After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization.
+
+>**Important:** This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
+
+This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
+
+In order to expand the isolated domain to include Devices that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md).
+
+For more info about this design:
+
+- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+
+- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
+
+- Before completing the design, gather the info described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+
+- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
+
+- For a list of tasks that you can use to deploy your domain isolation policy design, see [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md).
+
+**Next:** [Server Isolation Policy Design](server-isolation-policy-design.md)
diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index dde52ba0d7..b748e75485 100644
--- a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -2,7 +2,7 @@
title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting.
ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index 9412bf6ae7..241c83b30b 100644
--- a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -2,7 +2,7 @@
title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting.
ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
index 6f0cdd5ea0..dfa36d1360 100644
--- a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -2,7 +2,7 @@
title: Domain member Digitally sign secure channel data (when possible) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting.
ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md
index a7e862cea4..e933a14786 100644
--- a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md
+++ b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md
@@ -2,7 +2,7 @@
title: Domain member Disable machine account password changes (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting.
ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md
index b97cf3f485..841729d203 100644
--- a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md
+++ b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md
@@ -2,7 +2,7 @@
title: Domain member Maximum machine account password age (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting.
ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
index 320d44e467..2d179f76d3 100644
--- a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
+++ b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -2,7 +2,7 @@
title: Domain member Require strong (Windows 2000 or later) session key (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting.
ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/edit-an-applocker-policy.md b/windows/keep-secure/edit-an-applocker-policy.md
index 2faffd200f..8bd9ebfcea 100644
--- a/windows/keep-secure/edit-an-applocker-policy.md
+++ b/windows/keep-secure/edit-an-applocker-policy.md
@@ -2,7 +2,7 @@
title: Edit an AppLocker policy (Windows 10)
description: This topic for IT professionals describes the steps required to modify an AppLocker policy.
ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/edit-applocker-rules.md b/windows/keep-secure/edit-applocker-rules.md
index 2f47922cd0..3fcada9c5e 100644
--- a/windows/keep-secure/edit-applocker-rules.md
+++ b/windows/keep-secure/edit-applocker-rules.md
@@ -2,7 +2,7 @@
title: Edit AppLocker rules (Windows 10)
description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index b3dcd0cd1a..6e5addb821 100644
--- a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -2,7 +2,7 @@
title: Enable computer and user accounts to be trusted for delegation (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting.
ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/keep-secure/enable-predefined-inbound-rules.md
new file mode 100644
index 0000000000..fe16701837
--- /dev/null
+++ b/windows/keep-secure/enable-predefined-inbound-rules.md
@@ -0,0 +1,36 @@
+---
+title: Enable Predefined Inbound Rules (Windows 10)
+description: Enable Predefined Inbound Rules
+ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Enable Predefined Inbound Rules
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+To deploy predefined firewall rules that allow inbound network traffic for common network functions
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Inbound Rules**.
+
+3. Click **Action**, and then click **New rule**.
+
+4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**.
+
+5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**.
+
+6. On the **Action** page, select **Allow the connection**, and then click **Finish**.
diff --git a/windows/keep-secure/enable-predefined-outbound-rules.md b/windows/keep-secure/enable-predefined-outbound-rules.md
new file mode 100644
index 0000000000..1691399b8a
--- /dev/null
+++ b/windows/keep-secure/enable-predefined-outbound-rules.md
@@ -0,0 +1,38 @@
+---
+title: Enable Predefined Outbound Rules (Windows 10)
+description: Enable Predefined Outbound Rules
+ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Enable Predefined Outbound Rules
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+To deploy predefined firewall rules that block outbound network traffic for common network functions
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the navigation pane, click **Outbound Rules**.
+
+3. Click **Action**, and then click **New rule**.
+
+4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**.
+
+5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They are all selected by default. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**.
+
+6. On the **Action** page, select **Block the connection**, and then click **Finish**.
+
+ The selected rules are added to the GPO.
diff --git a/windows/keep-secure/enable-the-dll-rule-collection.md b/windows/keep-secure/enable-the-dll-rule-collection.md
index 1dd233aee5..3a23c140a8 100644
--- a/windows/keep-secure/enable-the-dll-rule-collection.md
+++ b/windows/keep-secure/enable-the-dll-rule-collection.md
@@ -2,7 +2,7 @@
title: Enable the DLL rule collection (Windows 10)
description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/keep-secure/encrypted-hard-drive.md
index 884275ee7e..7de2f367e0 100644
--- a/windows/keep-secure/encrypted-hard-drive.md
+++ b/windows/keep-secure/encrypted-hard-drive.md
@@ -2,7 +2,7 @@
title: Encrypted Hard Drive (Windows 10)
description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md
new file mode 100644
index 0000000000..dcb49121a4
--- /dev/null
+++ b/windows/keep-secure/encryption-zone-gpos.md
@@ -0,0 +1,22 @@
+---
+title: Encryption Zone GPOs (Windows 10)
+description: Encryption Zone GPOs
+ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Encryption Zone GPOs
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.
+
+The GPO is only for server versions of Windows. Client devices are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows.
+
+- [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md)
diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md
new file mode 100644
index 0000000000..f6fd2aacd4
--- /dev/null
+++ b/windows/keep-secure/encryption-zone.md
@@ -0,0 +1,62 @@
+---
+title: Encryption Zone (Windows 10)
+description: Encryption Zone
+ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Encryption Zone
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
+
+To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted.
+
+You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols.
+
+Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+
+## GPO settings for encryption zone servers running at least Windows Server 2008
+
+
+The GPO for devices that are running at least Windows Server 2008 should include the following:
+
+- IPsec default settings that specify the following options:
+
+ 1. Exempt all ICMP traffic from IPsec.
+
+ 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ If any NAT devices are present on your networks, use ESP encapsulation..
+
+ 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method.
+
+- The following connection security rules:
+
+ - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
+
+ - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy.
+
+ **Important**
+ Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out.
+
+
+
+- A registry policy that includes the following values:
+
+ - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
+
+ >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
+
+- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.
+
+**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)
diff --git a/windows/keep-secure/enforce-applocker-rules.md b/windows/keep-secure/enforce-applocker-rules.md
index 0f83a7ff57..31ab2aa2b8 100644
--- a/windows/keep-secure/enforce-applocker-rules.md
+++ b/windows/keep-secure/enforce-applocker-rules.md
@@ -2,7 +2,7 @@
title: Enforce AppLocker rules (Windows 10)
description: This topic for IT professionals describes how to enforce application control rules by using AppLocker.
ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/enforce-password-history.md b/windows/keep-secure/enforce-password-history.md
index b78ac67236..a52801d820 100644
--- a/windows/keep-secure/enforce-password-history.md
+++ b/windows/keep-secure/enforce-password-history.md
@@ -2,7 +2,7 @@
title: Enforce password history (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.
ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/enforce-user-logon-restrictions.md b/windows/keep-secure/enforce-user-logon-restrictions.md
index 40eef86d2b..39f83bb850 100644
--- a/windows/keep-secure/enforce-user-logon-restrictions.md
+++ b/windows/keep-secure/enforce-user-logon-restrictions.md
@@ -2,7 +2,7 @@
title: Enforce user logon restrictions (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting.
ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
index c0cd2aac59..bf8d546f56 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
@@ -2,10 +2,11 @@
title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
-keywords: ["EDP", "Enterprise Data Protection"]
-ms.prod: W10
+keywords: EDP, Enterprise Data Protection
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
new file mode 100644
index 0000000000..35a8444e6e
--- /dev/null
+++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -0,0 +1,27 @@
+---
+title: Evaluating Windows Firewall with Advanced Security Design Examples (Windows 10)
+description: Evaluating Windows Firewall with Advanced Security Design Examples
+ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Evaluating Windows Firewall with Advanced Security Design Examples
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization.
+
+- [Firewall Policy Design Example](firewall-policy-design-example.md)
+
+- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
+
+- [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
+
+- [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
+
diff --git a/windows/keep-secure/event-1100.md b/windows/keep-secure/event-1100.md
new file mode 100644
index 0000000000..3a1a897cf0
--- /dev/null
+++ b/windows/keep-secure/event-1100.md
@@ -0,0 +1,73 @@
+---
+title: 1100(S) The event logging service has shut down. (Windows 10)
+description: Describes security event 1100(S) The event logging service has shut down.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 1100(S): The event logging service has shut down.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows Event Log service has shut down.
+
+It also generates during normal system shutdown.
+
+This event doesn’t generate during emergency system reset.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 1100
+ 0
+ 4
+ 103
+ 0
+ 0x4020000000000000
+
+ 1048124
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 1100(S): The event logging service has shut down.
+
+- With this event, you can track system shutdowns and restarts.
+
+- This event also can be a sign of malicious action when someone tried to shut down the Log Service to cover his or her activity.
+
diff --git a/windows/keep-secure/event-1102.md b/windows/keep-secure/event-1102.md
new file mode 100644
index 0000000000..ed03fdf472
--- /dev/null
+++ b/windows/keep-secure/event-1102.md
@@ -0,0 +1,98 @@
+---
+title: 1102(S) The audit log was cleared. (Windows 10)
+description: Describes security event 1102(S) The audit log was cleared.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 1102(S): The audit log was cleared.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows Security audit log was cleared.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 1102
+ 0
+ 4
+ 104
+ 0
+ 0x4020000000000000
+
+ 1087729
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x55cd1d
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that cleared the system security audit log. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that cleared the system security audit log.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+## Security Monitoring Recommendations
+
+For 1102(S): The audit log was cleared.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically you should not see this event. There is no need to manually clear the Security event log in most cases. We recommend monitoring this event and investigating why this action was performed.
+
diff --git a/windows/keep-secure/event-1104.md b/windows/keep-secure/event-1104.md
new file mode 100644
index 0000000000..89e9980503
--- /dev/null
+++ b/windows/keep-secure/event-1104.md
@@ -0,0 +1,67 @@
+---
+title: 1104(S) The security log is now full. (Windows 10)
+description: Describes security event 1104(S) The security log is now full.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 1104(S): The security log is now full.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows security log becomes full.
+
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 1104
+ 0
+ 2
+ 101
+ 0
+ 0x4020000000000000
+
+ 1087728
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it.
+
diff --git a/windows/keep-secure/event-1105.md b/windows/keep-secure/event-1105.md
new file mode 100644
index 0000000000..75a97f1a66
--- /dev/null
+++ b/windows/keep-secure/event-1105.md
@@ -0,0 +1,98 @@
+---
+title: 1105(S) Event log automatic backup. (Windows 10)
+description: Describes security event 1105(S) Event log automatic backup.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 1105(S): Event log automatic backup.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows security log becomes full and new event log file was created.
+
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx)”.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 1105
+ 0
+ 4
+ 105
+ 0
+ 0x4020000000000000
+
+ 1128551
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+-
+ Security
+ C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2015-10-16-00-50-12-621.evtx
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Log** \[Type = UnicodeString\]: the name of the log which was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
+
+**File**: \[Type = FILETIME\]: full path and filename of archived log file.
+
+The format of archived log file name is: “Archive-LOG\_FILE\_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx”. Where:
+
+- LOG\_FILE\_NAME – the name of archived file.
+
+- Y – years.
+
+- M – months.
+
+- D – days.
+
+- h – hours.
+
+- m – minutes.
+
+- s – seconds.
+
+- n – fractional seconds.
+
+The time in this event is always in ***GMT+0/UTC+0*** time zone.
+
+## Security Monitoring Recommendations
+
+For 1105(S): Event log automatic backup.
+
+- Typically it’s an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx), then this event will be a sign that some settings are not set to baseline settings or were changed.
+
diff --git a/windows/keep-secure/event-1108.md b/windows/keep-secure/event-1108.md
new file mode 100644
index 0000000000..a20422a550
--- /dev/null
+++ b/windows/keep-secure/event-1108.md
@@ -0,0 +1,83 @@
+---
+title: 1108(S) The event logging service encountered an error while processing an incoming event published from %1. (Windows 10)
+description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates when event logging service encountered an error while processing an incoming event.
+
+It typically generates when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.
+
+For example, event 1108 might be generated after an incorrect [4703](event-4703.md) event:
+
+
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 1108
+ 0
+ 2
+ 101
+ 0
+ 0x4020000000000000
+
+ 5599
+
+
+ Security
+ WIN-GG82ULGC9GO.contoso.local
+
+
+-
+-
+
+ 0
+ Microsoft-Windows-Security-Auditing
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**%1** \[Type = UnicodeString\]: the name of [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
+
+
+
+## Security Monitoring Recommendations
+
+For 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
+
+- We recommend monitoring for all events of this type and checking what the cause of the error was.
+
diff --git a/windows/keep-secure/event-4608.md b/windows/keep-secure/event-4608.md
new file mode 100644
index 0000000000..92e9691726
--- /dev/null
+++ b/windows/keep-secure/event-4608.md
@@ -0,0 +1,67 @@
+---
+title: 4608(S) Windows is starting up. (Windows 10)
+description: Describes security event 4608(S) Windows is starting up.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4608(S): Windows is starting up.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Description:***
+
+This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized.
+
+It typically generates during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4608
+ 0
+ 0
+ 12288
+ 0
+ 0x8020000000000000
+
+ 1101704
+
+
+ Security
+ DC01.contoso.local
+
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 4608(S): Windows is starting up.
+
+- With this event, you can track system startup events.
+
diff --git a/windows/keep-secure/event-4610.md b/windows/keep-secure/event-4610.md
new file mode 100644
index 0000000000..66df4467cd
--- /dev/null
+++ b/windows/keep-secure/event-4610.md
@@ -0,0 +1,77 @@
+---
+title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10)
+description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4610(S): An authentication package has been loaded by the Local Security Authority.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
+
+Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4610
+ 0
+ 0
+ 12289
+ 0
+ 0x8020000000000000
+
+ 1048138
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME.
+
+By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378753(v=vs.85).aspx)”.
+
+## Security Monitoring Recommendations
+
+For 4610(S): An authentication package has been loaded by the Local Security Authority.
+
+- Report all “**Authentication Package Name**” not equals “C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0”, because by default this is the only Authentication Package loaded by Windows 10.
+
+- Typically this event has an informational purpose. If you have a pre-defined list of allowed Authentication Packages in the system, then you can check whether “**Authentication Package Name”** is in your defined list.
+
diff --git a/windows/keep-secure/event-4611.md b/windows/keep-secure/event-4611.md
new file mode 100644
index 0000000000..4cd9e414e5
--- /dev/null
+++ b/windows/keep-secure/event-4611.md
@@ -0,0 +1,109 @@
+---
+title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10)
+description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4611(S): A trusted logon process has been registered with the Local Security Authority.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event indicates that a logon process has registered with the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)). Also, logon requests will now be accepted from this source.
+
+At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
+
+A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).
+
+You typically see these events during operating system startup or user logon and authentication actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4611
+ 0
+ 0
+ 12289
+ 0
+ 0x8020000000000000
+
+ 1048175
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ Winlogon
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that registered the trusted logon process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the trusted logon process.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Logon Process Name** \[Type = UnicodeString\]**:** the name of registered logon process.
+
+## Security Monitoring Recommendations
+
+For 4611(S): A trusted logon process has been registered with the Local Security Authority.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- Typically this event has an informational purpose. If you defined the list of allowed Logon Processes in the system, then you can check is “**Logon Process Name”** field value in the whitelist or not.
+
+-
+
diff --git a/windows/keep-secure/event-4612.md b/windows/keep-secure/event-4612.md
new file mode 100644
index 0000000000..ffdc67f828
--- /dev/null
+++ b/windows/keep-secure/event-4612.md
@@ -0,0 +1,43 @@
+---
+title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10)
+description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.
+
+This event doesn't generate when the event log service is stopped or event log is full and events retention is disabled.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. *
+
+*Number of audit messages discarded: %1 *
+
+*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of hardware issues or lack of system resources (for example, RAM). We recommend monitoring this event and investigating the reason for the condition.
+
diff --git a/windows/keep-secure/event-4614.md b/windows/keep-secure/event-4614.md
new file mode 100644
index 0000000000..5afea7b670
--- /dev/null
+++ b/windows/keep-secure/event-4614.md
@@ -0,0 +1,77 @@
+---
+title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10)
+description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4614(S): A notification package has been loaded by the Security Account Manager.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time a Notification Package has been loaded by the [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx).
+
+In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx).
+
+Password Filters are DLLs that are loaded or called when passwords are set or changed.
+
+Each time a system starts, it loads the notification package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages** registry value and performs the initialization sequence for every package.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4614
+ 0
+ 0
+ 12289
+ 0
+ 0x8020000000000000
+
+ 1048140
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ WDIGEST
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Notification Package Name** \[Type = UnicodeString\]**:** the name of loaded Notification Package.
+
+## Security Monitoring Recommendations
+
+For 4614(S): A notification package has been loaded by the Security Account Manager.
+
+- Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the whitelist or not.
+
diff --git a/windows/keep-secure/event-4615.md b/windows/keep-secure/event-4615.md
new file mode 100644
index 0000000000..7089ff1ad7
--- /dev/null
+++ b/windows/keep-secure/event-4615.md
@@ -0,0 +1,57 @@
+---
+title: 4615(S) Invalid use of LPC port. (Windows 10)
+description: Describes security event 4615(S) Invalid use of LPC port.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4615(S): Invalid use of LPC port.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+It appears that this event never occurs.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Invalid use of LPC port.*
+
+*Subject:*
+
+> *Security ID%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Process Information:*
+
+> *PID:%7*
+>
+> *Name:%8*
+
+*Invalid Use:%5*
+
+*LPC Server Port Name:%6*
+
+*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." *
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-4616.md b/windows/keep-secure/event-4616.md
new file mode 100644
index 0000000000..3be067d588
--- /dev/null
+++ b/windows/keep-secure/event-4616.md
@@ -0,0 +1,172 @@
+---
+title: 4616(S) The system time was changed. (Windows 10)
+description: Describes security event 4616(S) The system time was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4616(S): The system time was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Description:***
+
+This event generates every time system time was changed.
+
+This event is always logged regardless of the "Audit Security State Change" sub-category setting.
+
+You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4616
+ 1
+ 0
+ 12288
+ 0
+ 0x8020000000000000
+
+ 1101699
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x48f29
+ 2015-10-09T05:04:30.000941900Z
+ 2015-10-09T05:04:30.000000000Z
+ 0x1074
+ C:\\Windows\\WinSxS\\amd64\_microsoft-windows-com-surrogate-core\_31bf3856ad364e35\_6.3.9600.16384\_none\_25a8f00faa8f185c\\dllhost.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:***
+
+- 0 - Windows Server 2008, Windows Vista.
+
+- 1 - Windows Server 2008 R2, Windows 7.
+
+ - Added “Process Information” section.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Process Information** \[Version 1\]**:**
+
+- **Process ID** \[Type = Pointer\] \[Version 1\]: hexadecimal Process ID of the process that changed the system time. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Name** \[Type = UnicodeString\] \[Version 1\]**:** full path and the name of the executable for the process.
+
+**Previous Time** \[Type = FILETIME\]: previous time in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
+
+- Y - years
+
+- M - months
+
+- D - days
+
+- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
+
+- h - hours
+
+- m - minutes
+
+- s - seconds
+
+- n - fractional seconds
+
+- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
+
+**New Time** \[Type = FILETIME\]: new time that was set in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
+
+- Y - years
+
+- M - months
+
+- D - days
+
+- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
+
+- h - hours
+
+- m - minutes
+
+- s - seconds
+
+- n - fractional seconds
+
+- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
+
+## Security Monitoring Recommendations
+
+For 4616(S): The system time was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service.
+
+- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made not by Windows Time service.
+
+
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4618.md b/windows/keep-secure/event-4618.md
new file mode 100644
index 0000000000..e9b106a0b3
--- /dev/null
+++ b/windows/keep-secure/event-4618.md
@@ -0,0 +1,97 @@
+---
+title: 4618(S) A monitored security event pattern has occurred. (Windows 10)
+description: Describes security event 4618(S) A monitored security event pattern has occurred.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4618(S): A monitored security event pattern has occurred.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+This event can be generated (invoked) only externally using the following command:
+
+**%windir%\\system32\\rundll32 %windir%\\system32\\authz.dll,AuthziGenerateAdminAlertAudit OrgEventId ComputerName UserSid UserName UserDomain UserLogonId EventCount Duration**
+
+Account must have **SeAuditPrivilege** (Generate security audits) to be able to generate this event.
+
+- **UserSid** is resolved when viewing the event in event viewer.
+
+- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
+
+- If a field doesn’t match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.)
+
+- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
+
+- Parameters are space delimited, even if a parameter is enclosed in double-quotes.
+
+- Here are the expected data types for the parameters:
+
+| Parameter | Expected Data Type |
+|--------------|--------------------------------------------------|
+| OrgEventID | Ulong |
+| ComputerName | String |
+| UserSid | SID (in string format) |
+| UserName | String |
+| UserDomain | String |
+| UserLogonID | Luid (a ULongLong converted to Hex in the event) |
+| EventCount | Ulong |
+| Duration | String |
+
+
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4618
+ 0
+ 0
+ 12290
+ 0
+ 0x8020000000000000
+
+ 1198759
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 4624
+ DC01.contoso.local
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x1
+ 10
+ “Hour"
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 4618(S): A monitored security event pattern has occurred.
+
+- This event can be invoked only manually/intentionally, it is up to you how interpret this event depends on information you put inside of it.
+
diff --git a/windows/keep-secure/event-4621.md b/windows/keep-secure/event-4621.md
new file mode 100644
index 0000000000..82eeb320a4
--- /dev/null
+++ b/windows/keep-secure/event-4621.md
@@ -0,0 +1,43 @@
+---
+title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10)
+description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4621(S): Administrator recovered system from CrashOnAuditFail.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged after a system reboots following [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Schema:***
+
+*Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.*
+
+*Value of CrashOnAuditFail:%1*
+
+*This event is logged after a system reboots following CrashOnAuditFail.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396).
+
+- If your computers don’t have the [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed.
+
diff --git a/windows/keep-secure/event-4622.md b/windows/keep-secure/event-4622.md
new file mode 100644
index 0000000000..09fae3de05
--- /dev/null
+++ b/windows/keep-secure/event-4622.md
@@ -0,0 +1,99 @@
+---
+title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10)
+description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4622(S): A security package has been loaded by the Local Security Authority.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time [Security Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380501(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
+
+Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
+
+Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
+
+It is also possible to add security package dynamically using [AddSecurityPackage](https://msdn.microsoft.com/en-us/library/windows/desktop/dd401506(v=vs.85).aspx) function, not only during system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4622
+ 0
+ 0
+ 12289
+ 0
+ 0x8020000000000000
+
+ 1048131
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ C:\\Windows\\system32\\kerberos.DLL : Kerberos
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Security Package Name** \[Type = UnicodeString\]**:** the name of loaded Security Package. The format is: DLL\_PATH\_AND\_NAME: SECURITY\_PACKAGE\_NAME.
+
+These are some Security Package DLLs loaded by default in Windows 10:
+
+- C:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider
+
+- C:\\Windows\\system32\\schannel.DLL : Schannel
+
+- C:\\Windows\\system32\\cloudAP.DLL : CloudAP
+
+- C:\\Windows\\system32\\wdigest.DLL : WDigest
+
+- C:\\Windows\\system32\\pku2u.DLL : pku2u
+
+- C:\\Windows\\system32\\tspkg.DLL : TSSSP
+
+- C:\\Windows\\system32\\msv1\_0.DLL : NTLM
+
+- C:\\Windows\\system32\\kerberos.DLL : Kerberos
+
+- C:\\Windows\\system32\\negoexts.DLL : NegoExtender
+
+- C:\\Windows\\system32\\lsasrv.dll : Negotiate
+
+## Security Monitoring Recommendations
+
+For 4622(S): A security package has been loaded by the Local Security Authority.
+
+- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the whitelist or not.
+
diff --git a/windows/keep-secure/event-4624.md b/windows/keep-secure/event-4624.md
new file mode 100644
index 0000000000..3cb4f0c190
--- /dev/null
+++ b/windows/keep-secure/event-4624.md
@@ -0,0 +1,308 @@
+---
+title: 4624(S) An account was successfully logged on. (Windows 10)
+description: Describes security event 4624(S) An account was successfully logged on.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4624(S): An account was successfully logged on.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4624
+ 2
+ 0
+ 12544
+ 0
+ 0x8020000000000000
+
+ 211
+
+
+ Security
+ WIN-GG82ULGC9GO
+
+
+-
+ S-1-5-18
+ WIN-GG82ULGC9GO$
+ WORKGROUP
+ 0x3e7
+ S-1-5-21-1377283216-344919071-3415362939-500
+ Administrator
+ WIN-GG82ULGC9GO
+ 0x8dcdc
+ 2
+ User32
+ Negotiate
+ WIN-GG82ULGC9GO
+ {00000000-0000-0000-0000-000000000000}
+ -
+ -
+ 0
+ 0x44c
+ C:\\Windows\\System32\\svchost.exe
+ 127.0.0.1
+ 0
+ %%1833
+ -
+ -
+ -
+ %%1843
+ 0x0
+ %%1842
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:***
+
+- 0 - Windows Server 2008, Windows Vista.
+
+- 1 - Windows Server 2012, Windows 8.
+
+ - Added “Impersonation Level” field.
+
+- 2 – Windows 10.
+
+ - Added “Logon Information:” section.
+
+ - **Logon Type** moved to “Logon Information:” section.
+
+ - Added “Restricted Admin Mode” field.
+
+ - Added “Virtual Account” field.
+
+ - Added “Elevated Token” field.
+
+ - Added “Linked Logon ID” field.
+
+ - Added “Network Account Name” field.
+
+ - Added “Network Account Domain” field.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
+
+**Logon Information** \[Version 2\]**: **
+
+- **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field.
+
+## Logon types and descriptions
+
+| Logon Type | Logon Title | Description |
+|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 2 | Interactive | A user logged on to this computer. |
+| 3 | Network | A user or computer logged on to this computer from the network. |
+| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
+| 5 | Service | A service was started by the Service Control Manager. |
+| 7 | Unlock | This workstation was unlocked. |
+| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
+| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
+| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+
+- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
+
+ Reference: .
+
+ If not a **RemoteInteractive** logon, then this will be "-" string.
+
+- **Virtual Account** \[Version 2\] \[Type = UnicodeString\]**:** a “Yes” or “No” flag, which indicates if the account is a virtual account (e.g., "[Managed Service Account](https://technet.microsoft.com/en-us/library/dd560633(v=ws.10).aspx)"), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using "NetworkService".
+
+- **Elevated Token** \[Version 2\] \[Type = UnicodeString\]**:** a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and has administrator privileges.
+
+**Impersonation Level** \[Version 1, 2\] \[Type = UnicodeString\]: can have one of these four values:
+
+- SecurityAnonymous (displayed as **empty string**): The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero.
+
+- SecurityIdentification (displayed as "**Identification**"): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.
+
+- SecurityImpersonation (displayed as "**Impersonation**"): The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. This is the most common type.
+
+- SecurityDelegation (displayed as "**Delegation**"): The server process can impersonate the client's security context on remote systems.
+
+**New Logon:**
+
+- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
+
+- **Linked Logon ID** \[Version 2\] \[Type = HexInt64\]**:** A hexadecimal value of the paired logon session. If there is no other logon session associated with this logon session, then the value is “**0x0**”.
+
+- **Network Account Name** \[Version 2\] \[Type = UnicodeString\]**:** User name that will be used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type.
+
+ If not **NewCredentials** logon, then this will be a "-" string.
+
+- **Network Account Domain** \[Version 2\] \[Type = UnicodeString\]**:** Domain for the user that will be used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type.
+
+ If not **NewCredentials** logon, then this will be a "-" string.
+
+- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
+
+ It also can be used for correlation between a 4624 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+**Process Information:**
+
+- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
+
+- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+**Detailed Authentication Information:**
+
+- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+
+ - **NTLM** – NTLM-family Authentication
+
+ - **Kerberos** – Kerberos authentication.
+
+ - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
+
+- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see
+
+- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/en-us/library/cc236627.aspx) protocol name) that was used during logon. Possible values are:
+
+ - “NTLM V1”
+
+ - “NTLM V2”
+
+ - “LM”
+
+ Only populated if “**Authentication Package” = “NTLM”**.
+
+- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/en-us/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
+
+## Security Monitoring Recommendations
+
+For 4624(S): An account was successfully logged on.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“New Logon\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“New Logon\\Security ID”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“New Logon\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“New Logon\\Security ID”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If “**Restricted Admin**” mode must be used for logons by certain accounts, use this event to monitor logons by “**New Logon\\Security ID**” in relation to “**Logon Type**”=10 and “**Restricted Admin Mode**”=”Yes”. If “**Restricted Admin Mode**”=”No” for these accounts, trigger an alert.
+
+- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with “**Elevated Token**”=”Yes”.
+
+- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with “**Virtual Account**”=”Yes”.
+
+- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
+
+- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
+
+ - If the user account **“New Logon\\Security ID”** should never be used to log on from the specific **Computer:**.
+
+ - If **New Logon\\Security ID** credentials should not be used from **Workstation Name** or **Source Network Address**.
+
+ - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
+
+ - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**.
+
+ - If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
+
+ - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
+
+- If you monitor for potentially malicious software, or software that is not authorized to request logon actions, monitor this event for **Process Name**.
+
+- If you have a trusted logon processes list, monitor for a **Logon Process** that is not from the list.
+
diff --git a/windows/keep-secure/event-4625.md b/windows/keep-secure/event-4625.md
new file mode 100644
index 0000000000..9a040ff053
--- /dev/null
+++ b/windows/keep-secure/event-4625.md
@@ -0,0 +1,289 @@
+---
+title: 4625(F) An account failed to log on. (Windows 10)
+description: Describes security event 4625(F) An account failed to log on.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4625(F): An account failed to log on.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
+
+It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4625
+ 0
+ 0
+ 12546
+ 0
+ 0x8010000000000000
+
+ 229977
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ S-1-0-0
+ Auditor
+ CONTOSO
+ 0xc0000234
+ %%2307
+ 0x0
+ 2
+ User32
+ Negotiate
+ DC01
+ -
+ -
+ 0
+ 0x1bc
+ C:\\Windows\\System32\\winlogon.exe
+ 127.0.0.1
+ 0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+
+| Logon Type | Logon Title | Description |
+|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 2 | Interactive | A user logged on to this computer. |
+| 3 | Network | A user or computer logged on to this computer from the network. |
+| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
+| 5 | Service | A service was started by the Service Control Manager. |
+| 7 | Unlock | This workstation was unlocked. |
+| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
+| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
+| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+
+> Table: Windows Logon Types
+
+**Account For Which Logon Failed:**
+
+- **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Failure Information:**
+
+- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
+
+- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in “Table 12. Windows logon status codes.”
+
+| Status\\Sub-Status Code | Description |
+|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0XC000005E | There are currently no logon servers available to service the logon request. |
+| 0xC0000064 | User logon with misspelled or bad user account |
+| 0xC000006A | User logon with misspelled or bad password |
+| 0XC000006D | This is either due to a bad username or authentication information |
+| 0XC000006E | Unknown user name or bad password. |
+| 0xC000006F | User logon outside authorized hours |
+| 0xC0000070 | User logon from unauthorized workstation |
+| 0xC0000071 | User logon with expired password |
+| 0xC0000072 | User logon to account disabled by administrator |
+| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
+| 0XC0000133 | Clocks between DC and other computer too far out of sync |
+| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
+| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
+| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
+| 0xC0000193 | User logon with expired account |
+| 0XC0000224 | User is required to change password at next logon |
+| 0XC0000225 | Evidently a bug in Windows and not a risk |
+| 0xC0000234 | User logon with account locked |
+| 0XC00002EE | Failure Reason: An Error occurred during Logon |
+| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
+| 0x0 | Status OK. |
+
+> Table: Windows logon status codes.
+
+> **Note** To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
+
+More information:
+
+- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common sub-status codes listed in the “Table 12. Windows logon status codes.”.
+
+**Process Information:**
+
+- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
+
+- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+**Detailed Authentication Information:**
+
+- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+
+ - **NTLM** – NTLM-family Authentication
+
+ - **Kerberos** – Kerberos authentication.
+
+ - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
+
+- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see
+
+- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/en-us/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
+
+ - “NTLM V1”
+
+ - “NTLM V2”
+
+ - “LM”
+
+ Only populated if “**Authentication Package” = “NTLM”**.
+
+- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/en-us/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
+
+## Security Monitoring Recommendations
+
+For 4625(F): An account failed to log on.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**.
+
+- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
+
+- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
+
+- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+
+- We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+
+- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
+
+ - If the **“Account For Which Logon Failed \\Security ID”** should never be used to log on from the specific **Network Information\\Workstation Name**.
+
+ - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
+
+ - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**.
+
+ - If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
+
+ - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
+
+ - If **Logon Process** is not from a trusted logon processes list.
+
+- Monitor for all events with the fields and values in the following table:
+
+| **Field** | Value to monitor for |
+|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” This is typically not a security issue but it can be an infrastructure or availability issue. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. This is typically not a security issue but it can be an infrastructure or availability issue. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
+| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
+
diff --git a/windows/keep-secure/event-4626.md b/windows/keep-secure/event-4626.md
new file mode 100644
index 0000000000..83fa8fe837
--- /dev/null
+++ b/windows/keep-secure/event-4626.md
@@ -0,0 +1,181 @@
+---
+title: 4626(S) User/Device claims information. (Windows 10)
+description: Describes security event 4626(S) User/Device claims information.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4626(S): User/Device claims information.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User/Device Claims](audit-user-device-claims.md)
+
+***Event Description:***
+
+This event generates for new account logons and contains user/device claims which were associated with a new logon session.
+
+This event does not generate if the user/device doesn’t have claims.
+
+For computer account logons you will also see device claims listed in the “**User Claims**” field.
+
+You will typically get “[4624](event-4624.md): An account was successfully logged on” and after it a 4626 event with the same information in **Subject**, **Logon Type** and **New Logon** sections.
+
+This event generates on the computer to which the logon was performed (target computer). For example, for Interactive logons it will be the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4626
+ 0
+ 0
+ 12553
+ 0
+ 0x8020000000000000
+
+ 232648
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-0-0
+ -
+ -
+ 0x0
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x136f7b
+ 3
+ 1
+ 1
+ ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b <%%1818> : "IT"
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012, Windows 8.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that reported information about claims. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about claims.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
+
+| Logon Type | Logon Title | Description |
+|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 2 | Interactive | A user logged on to this computer. |
+| 3 | Network | A user or computer logged on to this computer from the network. |
+| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
+| 5 | Service | A service was started by the Service Control Manager. |
+| 7 | Unlock | This workstation was unlocked. |
+| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
+| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
+| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+
+**New Logon:**
+
+- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all claims, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value.
+
+**User Claims** \[Type = UnicodeString\]**:** list of user claims for new logon session. This field contains user claims if user account was logged in and device claims if computer account was logged in. Here is an example how to parse the entrance of this field:
+
+- ad://ext/cn:88d2b96fdb2b4c49 <String> : “dadmin”
+
+ - cn – claim display name.
+
+ - 88d2b96fdb2b4c49 – unique claim ID.
+
+ - <String> - claim type.
+
+ - “dadmin” – claim value.
+
+**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value**.** For computer accounts this field has device claims listed.
+
+## Security Monitoring Recommendations
+
+For 4626(S): User/Device claims information.
+
+- Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.
+
+- If you need to monitor account logons with specific claims, you can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields.
+
+- If you have specific requirements, such as:
+
+ - Users with specific claims should not access specific computers;
+
+ - Computer account should not have specific claims;
+
+ - User account should not have specific claims;
+
+ - Claim should not be empty
+
+ - And so on…
+
+ You can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields.
+
+- If you need to monitor computer/user logon attempts only and you don’t need information about claims, then it is better to monitor “[4624](event-4624.md): An account was successfully logged on.”
+
diff --git a/windows/keep-secure/event-4627.md b/windows/keep-secure/event-4627.md
new file mode 100644
index 0000000000..811fd6f830
--- /dev/null
+++ b/windows/keep-secure/event-4627.md
@@ -0,0 +1,152 @@
+---
+title: 4627(S) Group membership information. (Windows 10)
+description: Describes security event 4627(S) Group membership information.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4627(S): Group membership information.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Group Membership](audit-group-membership.md)
+
+***Event Description:***
+
+This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
+
+You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event.
+
+Multiple events are generated if the group membership information cannot fit in a single security audit event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4627
+ 0
+ 0
+ 12554
+ 0
+ 0x8020000000000000
+
+ 3081
+
+
+ Security
+ WIN-GG82ULGC9GO.contoso.local
+
+
+-
+ S-1-0-0
+ -
+ -
+ 0x0
+ S-1-5-21-1377283216-344919071-3415362939-1104
+ dadmin
+ CONTOSO
+ 0x569860
+ 3
+ 1
+ 1
+ %{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288}
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2016, Windows 10.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
+
+**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
+
+| Logon Type | Logon Title | Description |
+|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 2 | Interactive | A user logged on to this computer. |
+| 3 | Network | A user or computer logged on to this computer from the network. |
+| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
+| 5 | Service | A service was started by the Service Control Manager. |
+| 7 | Unlock | This workstation was unlocked. |
+| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
+| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
+| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+
+**New Logon:**
+
+- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
+
+**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all groups, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value.
+
+**Group Membership** \[Type = UnicodeString\]**:** the list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+## Security Monitoring Recommendations
+
+For 4627(S): Group membership information.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.
+
+
+
+- If you need to track that a member of a specific group logged on to a computer, check the “**Group Membership**” field.
+
diff --git a/windows/keep-secure/event-4634.md b/windows/keep-secure/event-4634.md
new file mode 100644
index 0000000000..10b678d329
--- /dev/null
+++ b/windows/keep-secure/event-4634.md
@@ -0,0 +1,117 @@
+---
+title: 4634(S) An account was logged off. (Windows 10)
+description: Describes security event 4634(S) An account was logged off.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4634(S): An account was logged off.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Logoff](audit-logoff.md)
+
+***Event Description:***
+
+This event shows that logon session was terminated and no longer exists.
+
+The main difference between “[4647](event-4647.md): User initiated logoff.” and 4647 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
+
+4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
+
+It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4634
+ 0
+ 0
+ 12545
+ 0
+ 0x8020000000000000
+
+ 230019
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-90-1
+ DWM-1
+ Window Manager
+ 0x1a0992
+ 2
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was logged off. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was logged off.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Logon Type** \[Type = UInt32\]**:** the type of logon which was used. The table below contains the list of possible values for this field:
+
+| Logon Type | Logon Title | Description |
+|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 2 | Interactive | A user logged on to this computer. |
+| 3 | Network | A user or computer logged on to this computer from the network. |
+| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
+| 5 | Service | A service was started by the Service Control Manager. |
+| 7 | Unlock | This workstation was unlocked. |
+| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
+| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
+| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+
+## Security Monitoring Recommendations
+
+For 4634(S): An account was logged off.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If a particular **Logon Type** should not be used by a particular account (for example if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor this event for such actions.
+
diff --git a/windows/keep-secure/event-4647.md b/windows/keep-secure/event-4647.md
new file mode 100644
index 0000000000..16537024f3
--- /dev/null
+++ b/windows/keep-secure/event-4647.md
@@ -0,0 +1,100 @@
+---
+title: 4647(S) User initiated logoff. (Windows 10)
+description: Describes security event 4647(S) User initiated logoff.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4647(S): User initiated logoff.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Logoff](audit-logoff.md)
+
+***Event Description:***
+
+This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
+
+The main difference with “[4634](event-4634.md)(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
+
+4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
+
+It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4647
+ 0
+ 0
+ 12545
+ 0
+ 0x8020000000000000
+
+ 230200
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x29b379
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “logoff” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “logoff” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+## Security Monitoring Recommendations
+
+For 4647(S): User initiated logoff.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-4648.md b/windows/keep-secure/event-4648.md
new file mode 100644
index 0000000000..0f371abb75
--- /dev/null
+++ b/windows/keep-secure/event-4648.md
@@ -0,0 +1,194 @@
+---
+title: 4648(S) A logon was attempted using explicit credentials. (Windows 10)
+description: Describes security event 4648(S) A logon was attempted using explicit credentials.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4648(S): A logon was attempted using explicit credentials.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
+
+This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
+
+It is also a routine event which periodically occurs during normal operating system activity.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4648
+ 0
+ 0
+ 12544
+ 0
+ 0x8020000000000000
+
+ 233200
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x31844
+ {00000000-0000-0000-0000-000000000000}
+ ladmin
+ CONTOSO
+ {0887F1E4-39EA-D53C-804F-31D568A06274}
+ localhost
+ localhost
+ 0x368
+ C:\\Windows\\System32\\svchost.exe
+ ::1
+ 0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the new logon session with explicit credentials. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the new logon session with explicit credentials.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
+
+ It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+**Account Whose Credentials Were Used:**
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account whose credentials were used.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
+
+ It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+**Target Server:**
+
+- **Target Server Name** \[Type = UnicodeString\]**:** the name of the server on which the new process was run. Has “**localhost**” value if the process was run locally.
+
+- **Additional Information** \[Type = UnicodeString\]**:** there is no detailed information about this field in this document.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was run using explicit credentials. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+## Security Monitoring Recommendations
+
+For 4648(S): A logon was attempted using explicit credentials.
+
+The following table is similar to the table in [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**”
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action. Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the whitelist. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about. For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions. |
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If **Subject\\Security ID** should not know or use credentials for **Account Whose Credentials Were Used\\Account Name**, monitor this event.
+
+- If credentials for **Account Whose Credentials Were Used\\Account Name** should not be used from **Network Information\\Network Address**, monitor this event.
+
+- Check that **Network Information\\Network Address** is from internal IP address list. For example, if you know that a specific account (for example, a service account) should be used only from specific IP addresses, you can monitor for all events where **Network Information\\Network Address** is not one of the allowed IP addresses.
+
diff --git a/windows/keep-secure/event-4649.md b/windows/keep-secure/event-4649.md
new file mode 100644
index 0000000000..50ea622c1b
--- /dev/null
+++ b/windows/keep-secure/event-4649.md
@@ -0,0 +1,79 @@
+---
+title: 4649(S) A replay attack was detected. (Windows 10)
+description: Describes security event 4649(S) A replay attack was detected.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4649(S): A replay attack was detected.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client.
+
+Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB\_AP\_ERR\_REPEAT. You can read more about this in [RFC-1510](http://www.ietf.org/rfc/rfc1510.txt). One potential cause for this is a misconfigured network device between the client and server that could send the same packet(s) repeatedly.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Schema:***
+
+*A replay attack was detected.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Credentials Which Were Replayed:*
+
+> *Account Name:%5*
+>
+> *Account Domain:%6*
+
+*Process Information:*
+
+> *Process ID:%12*
+>
+> *Process Name:%13*
+
+*Network Information:*
+
+> *Workstation Name:%10*
+
+*Detailed Authentication Information:*
+
+> *Request Type:%7*
+>
+> *Logon Process:%8*
+>
+> *Authentication Package:%9*
+>
+> *Transited Services:%11*
+
+*This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration."*
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 4649(S): A replay attack was detected.
+
+- This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated.
+
diff --git a/windows/keep-secure/event-4656.md b/windows/keep-secure/event-4656.md
new file mode 100644
index 0000000000..b7e3893812
--- /dev/null
+++ b/windows/keep-secure/event-4656.md
@@ -0,0 +1,277 @@
+---
+title: 4656(S, F) A handle to an object was requested. (Windows 10)
+description: Describes security event 4656(S, F) A handle to an object was requested.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4656(S, F): A handle to an object was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+If access was declined, a Failure event is generated.
+
+This event generates only if the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has the required ACE to handle the use of specific access rights.
+
+This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+***Event XML***:
+```
+-
+-
+
+ 4656
+ 1
+ 0
+ 12800
+ 0
+ 0x8010000000000000
+
+ 274057
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x4367b
+ Security
+ File
+ C:\\Documents\\HBI Data.txt
+ 0x0
+ {00000000-0000-0000-0000-000000000000}
+ %%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424
+ %%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809
+ 0x12019f
+ -
+ 0
+ 0x1074
+ C:\\Windows\\System32\\notepad.exe
+ S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:***
+
+- 0 - Windows Server 2008, Windows Vista.
+
+- 1 - Windows Server 2012, Windows 8.
+
+ - Added “Resource Attributes” field.
+
+ - Added “Access Reasons” field.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+- **Resource Attributes** \[Type = UnicodeString\] \[Version 1\]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.
+
+ For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
+
+ - Impact\_MS: Resource Property ***ID***.
+
+ - 3000: Recourse Property ***Value***.
+
+
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
+
+| Access | Hexadecimal Value, Schema Value | Description |
+|---------------------------------------------------------------------------------------|-------------------------------------|----------------|
+| ReadData (or ListDirectory)
(For registry objects, this is “Query key value.”) | 0x1, %%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data. **ListDirectory -** For a directory, the right to list the contents of the directory. |
+| WriteData (or AddFile)
(For registry objects, this is “Set key value.”) | 0x2, %%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**). **AddFile -** For a directory, the right to create a file in the directory. |
+| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4, %%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). **AddSubdirectory -** For a directory, the right to create a subdirectory. **CreatePipeInstance -** For a named pipe, the right to create a pipe. |
+| ReadEA (For registry objects, this is “Enumerate sub-keys.”) | 0x8, %%4419 | The right to read extended file attributes. |
+| WriteEA | 0x10, %%4420 | The right to write extended file attributes. |
+| Execute/Traverse | 0x20, %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter. **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| DeleteChild | 0x40, %%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
+| ReadAttributes | 0x80, %%4423 | The right to read file attributes. |
+| WriteAttributes | 0x100, %%4424 | The right to write file attributes. |
+| DELETE | 0x10000, %%1537 | The right to delete the object. |
+| READ\_CONTROL | 0x20000, %%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
+| WRITE\_DAC | 0x40000, %%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
+| WRITE\_OWNER | 0x80000, %%1540 | The right to change the owner in the object's security descriptor |
+| SYNCHRONIZE | 0x100000, %%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
+| ACCESS\_SYS\_SEC | 0x1000000, %%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
+
+> Table 14. File System objects access rights.
+
+- **Access Reasons** \[Type = UnicodeString\] \[Version 1\]: the list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply.
+
+- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table.
+
+
+
+- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
+| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
+| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
+| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
+| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| SeSystemtimePrivilege | Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+
+- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**.
+
+## Security Monitoring Recommendations
+
+For 4656(S, F): A handle to an object was requested.
+
+For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
+
+For other types of objects, the following recommendations apply.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If **Object Name** is a sensitive or critical object for which you need to monitor any access attempt, monitor all [4656](event-4656.md) events.
+
+- If **Object Name** is a sensitive or critical object for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4656](event-4656.md) events with the corresponding **Access Request Information\\Accesses** values.
+
+- If you need to monitor files and folders with specific Resource Attribute values, monitor for all [4656](event-4656.md) events with specific **Resource Attributes** field values.
+
+ For file system objects, we recommend that you monitor these **Access Request Information\\Accesses** rights (especially for Failure events):
+
+ - WriteData (or AddFile)
+
+ - AppendData (or AddSubdirectory or CreatePipeInstance)
+
+ - WriteEA
+
+ - DeleteChild
+
+ - WriteAttributes
+
+ - DELETE
+
+ - WRITE\_DAC
+
+ - WRITE\_OWNER
+
diff --git a/windows/keep-secure/event-4657.md b/windows/keep-secure/event-4657.md
new file mode 100644
index 0000000000..5b669ccb0d
--- /dev/null
+++ b/windows/keep-secure/event-4657.md
@@ -0,0 +1,179 @@
+---
+title: 4657(S) A registry value was modified. (Windows 10)
+description: Describes security event 4657(S) A registry value was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4657(S): A registry value was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Registry](audit-registry.md)
+
+***Event Description:***
+
+This event generates when a registry key ***value*** was modified. It doesn’t generate when a registry key was modified.
+
+This event generates only if “Set Value" auditing is set in registry key’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4657
+ 0
+ 0
+ 12801
+ 0
+ 0x8020000000000000
+
+ 744725
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x364eb
+ \\REGISTRY\\MACHINE
+ Name\_New
+ 0x54
+ %%1905
+ %%1873
+
+ %%1873
+ Andrei
+ 0xce4
+ C:\\Windows\\regedit.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify registry value” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify registry value” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object:**
+
+- **Object Name** \[Type = UnicodeString\]: full path and name of the registry key which value was modified. The format is: \\REGISTRY\\HIVE\\PATH where:
+
+ - HIVE:
+
+ - HKEY\_LOCAL\_MACHINE = \\REGISTRY\\MACHINE
+
+ - HKEY\_CURRENT\_USER = \\REGISTRY\\USER\\\[USER\_SID\], where \[USER\_SID\] is the SID of current user.
+
+ - HKEY\_CLASSES\_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes
+
+ - HKEY\_USERS = \\REGISTRY\\USER
+
+ - HKEY\_CURRENT\_CONFIG = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current
+
+ - PATH – path to the registry key.
+
+- **Object Value Name** \[Type = UnicodeString\]**:** the name of modified registry key value.
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4656](event-4656.md): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+- **Operation Type** \[Type = UnicodeString\]**:** the type of performed operation with registry key value. Most common operations are:
+
+ - New registry value created
+
+ - Registry value deleted
+
+ - Existing registry value modified
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the registry key value was modified. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Change Information:**
+
+- **Old Value Type** \[Type = UnicodeString\]**:** old type of changed registry key value. Registry key value types:
+
+| Value Type | Description |
+|-----------------|-------------------------|
+| REG\_SZ | String |
+| REG\_BINARY | Binary |
+| REG\_DWORD | DWORD (32-bit) Value |
+| REG\_QWORD | QWORD (64-bit) Value |
+| REG\_MULTI\_SZ | Multi-String Value |
+| REG\_EXPAND\_SZ | Expandable String Value |
+
+- **Old Value** \[Type = UnicodeString\]: old value for changed registry key value.
+
+- **New Value Type** \[Type = UnicodeString\]**:** new type of changed registry key value. See table above for possible values.
+
+- **New Value** \[Type = UnicodeString\]: new value for changed registry key value.
+
+## Security Monitoring Recommendations
+
+For 4657(S): A registry value was modified.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If **Object Name** is a sensitive or critical registry key for which you need to monitor any modification of its values, monitor all [4657](event-4657.md) events.
+
+- If **Object Name** has specific values (**Object Value Name**) and you need to monitor modifications of these values, monitor for all [4657](event-4657.md) events.
+
diff --git a/windows/keep-secure/event-4658.md b/windows/keep-secure/event-4658.md
new file mode 100644
index 0000000000..3de6b3da02
--- /dev/null
+++ b/windows/keep-secure/event-4658.md
@@ -0,0 +1,132 @@
+---
+title: 4658(S) The handle to an object was closed. (Windows 10)
+description: Describes security event 4658(S) The handle to an object was closed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4658(S): The handle to an object was closed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Handle Manipulation](audit-handle-manipulation.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+This event generates only if Success auditing is enabled for [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
+
+Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4658
+ 0
+ 0
+ 12800
+ 0
+ 0x8020000000000000
+
+ 276724
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x4367b
+ Security
+ 0x18a8
+ 0xef0
+ C:\\Windows\\explorer.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “close object’s handle” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “close object’s handle” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that requested that the handle be closed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4658(S): The handle to an object was closed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
+
+- This event can be used to track all actions or operations related to a specific object handle.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4660.md b/windows/keep-secure/event-4660.md
new file mode 100644
index 0000000000..901bc15ae8
--- /dev/null
+++ b/windows/keep-secure/event-4660.md
@@ -0,0 +1,133 @@
+---
+title: 4660(S) An object was deleted. (Windows 10)
+description: Describes security event 4660(S) An object was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4660(S): An object was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), and [Audit Registry](audit-registry.md)
+
+***Event Description:***
+
+This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
+
+This event generates only if “Delete" auditing is set in object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+This event doesn’t contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion.
+
+The advantage of this event is that it’s generated only during real delete operations. In contrast, “4663(S): An attempt was made to access an object” also generates during other actions, such as object renaming.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4660
+ 0
+ 0
+ 12800
+ 0
+ 0x8020000000000000
+
+ 270188
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x4367b
+ Security
+ 0x1678
+ 0xef0
+ C:\\Windows\\explorer.exe
+ {00000000-0000-0000-0000-000000000000}
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that deleted the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 4660(S): An object was deleted.
+
+- This event doesn’t contains the name of deleted object (only **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object.” events with DELETE access to track object deletion actions.
+
+- For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
+
diff --git a/windows/keep-secure/event-4661.md b/windows/keep-secure/event-4661.md
new file mode 100644
index 0000000000..278c77f651
--- /dev/null
+++ b/windows/keep-secure/event-4661.md
@@ -0,0 +1,220 @@
+---
+title: 4661(S, F) A handle to an object was requested. (Windows 10)
+description: Describes security event 4661(S, F) A handle to an object was requested.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4661(S, F): A handle to an object was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit Directory Service Access](audit-directory-service-access.md) and [Audit SAM](audit-sam.md)
+
+***Event Description:***
+
+This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.
+
+If access was declined, then Failure event is generated.
+
+This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML***:
+```
+-
+-
+
+ 4661
+ 0
+ 0
+ 14080
+ 0
+ 0x8020000000000000
+
+ 1048009
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x4280e
+ Security Account Manager
+ SAM\_DOMAIN
+ DC=contoso,DC=local
+ 0xdd64d36870
+ {00000000-0000-0000-0000-000000000000}
+ %%5400
+ 0x2d
+ Ā
+ -
+ 2949165
+ 0x9000a000d002d
+ {bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}
+
+
+
+```
+
+***Required Server Roles:*** For an Active Directory object, the domain controller role is required. For a SAM object, there is no required role.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security Account Manager**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: the type or class of the object that was accessed. The following list contains possible values for this field:
+
+ - SAM\_ALIAS - a local group.
+
+ - SAM\_GROUP - a group that is not a local group.
+
+ - SAM\_USER - a user account.
+
+ - SAM\_DOMAIN - a domain. For Active Directory events, this is the typical value.
+
+ - SAM\_SERVER - a computer account.
+
+- **Object Name** \[Type = UnicodeString\]: the name of an object for which access was requested. Depends on **Object Type.** This event can have the following format:
+
+ - SAM\_ALIAS – SID of the group.
+
+ - SAM\_GROUP - SID of the group.
+
+ - SAM\_USER - SID of the account.
+
+ - SAM\_DOMAIN – distinguished name of the accessed object.
+
+ - SAM\_SERVER - distinguished name of the accessed object.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4662](event-4662.md): An operation was performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that requested the handle. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use or other informational resources.
+
+- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use or other informational resources.
+
+- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
+| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
+| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
+| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
+| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| SeSystemtimePrivilege | Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+
+- **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory.
+
+- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**.
+
+## Security Monitoring Recommendations
+
+For 4661(S, F): A handle to an object was requested.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
+
diff --git a/windows/keep-secure/event-4662.md b/windows/keep-secure/event-4662.md
new file mode 100644
index 0000000000..83640072e0
--- /dev/null
+++ b/windows/keep-secure/event-4662.md
@@ -0,0 +1,248 @@
+---
+title: 4662(S, F) An operation was performed on an object. (Windows 10)
+description: Describes security event 4662(S, F) An operation was performed on an object.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4662(S, F): An operation was performed on an object.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Directory Service Access](audit-directory-service-access.md)
+
+***Event Description:***
+
+This event generates every time when an operation was performed on an Active Directory object.
+
+This event generates only if appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was set for Active Directory object and performed operation meets this SACL.
+
+If operation failed then Failure event will be generated.
+
+You will get one 4662 for each operation type which was performed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4662
+ 0
+ 0
+ 14080
+ 0
+ 0x8020000000000000
+
+ 407230
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x35867
+ DS
+ %{bf967a86-0de6-11d0-a285-00aa003049e2}
+ %{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}
+ Object Access
+ 0x0
+ %%1537
+ 0x10000
+ %%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}
+ -
+
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object:**
+
+- **Object Server** \[Type = UnicodeString\]: has “**DS**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: type or class of the object that was accessed. Some of the common Active Directory object types and classes are:
+
+ - container – for containers.
+
+ - user – for users.
+
+ - group – for groups.
+
+ - domainDNS – for domain object.
+
+ - groupPolicyContainer – for group policy objects.
+
+ For all possible values of **Object Type** open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document:
+
+- **Object Name** \[Type = UnicodeString\]: distinguished name of the object that was accessed.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4661](event-4661.md): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Operation:**
+
+- **Operation Type** \[Type = UnicodeString\]: the type of operation which was performed on an object. Typically has “**Object Access”** value for this event.
+
+- **Accesses** \[Type = UnicodeString\]: the type of access used for the operation. See “Table 9. Active Directory Access Codes and Rights.” for more information.
+
+- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the type of access used for the operation. See “Table 9. Active Directory Access Codes and Rights.” for more information.
+
+| Access Mask | Access Name | Description |
+|--------------------------------------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x1 | Create Child | The right to create child objects of the object. |
+| 0x2 | Delete Child | The right to delete child objects of the object. |
+| 0x4 | List Contents | The right to list child objects of this object. |
+| 0x8 | SELF | The right to perform an operation controlled by a validated write access right. |
+| 0x10 | Read Property | The right to read properties of the object. |
+| 0x20 | Write Property | The right to write properties of the object. |
+| 0x40 | Delete Tree | Delete all children of this object, regardless of the permissions of the children. It is indicates that “Use Delete Subtree server control” check box was checked during deletion. This operation means that all objects within the subtree, including all delete-protected objects, will be deleted. |
+| 0x80 | List Object | The right to list a particular object. |
+| 0x100 | Control Access | Access allowed only after extended rights checks supported by the object are performed. The right to perform an operation controlled by an extended access right. |
+| 0x10000 | DELETE | The right to delete the object. DELETE also generated when object was moved. |
+| 0x20000 | READ\_CONTROL | The right to read data from the security descriptor of the object, not including the data in the SACL. |
+| 0x40000 | WRITE\_DAC | The right to modify the discretionary access-control list (DACL) in the object security descriptor. |
+| 0x80000 | WRITE\_OWNER | The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users. |
+| 0x100000 | SYNCHRONIZE | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. |
+| 0x1000000 | ADS\_RIGHT\_ACCESS\_SYSTEM\_SECURITY | The right to get or set the SACL in the object security descriptor. |
+| 0x80000000 | ADS\_RIGHT\_GENERIC\_READ | The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container. |
+| 0x40000000 | ADS\_RIGHT\_GENERIC\_WRITE | The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object. |
+| 0x20000000 | ADS\_RIGHT\_GENERIC\_EXECUTE | The right to read permissions on, and list the contents of, a container object. |
+| 0x10000000 | ADS\_RIGHT\_GENERIC\_ALL | The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right. |
+
+> Table 9. Active Directory Access Codes and Rights.
+
+- **Properties** \[Type = UnicodeString\]: first part is the type of access that was used. Typically has the same value as **Accesses** field.
+
+ Second part is a tree of **GUID** values of Active Directory classes or property sets, for which operation was performed.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+To translate this GUID, use the following procedure:
+
+- Perform the following LDAP search using LDP.exe tool:
+
+ - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
+
+ - Filter: (&(objectClass=\*)(schemaIDGUID=GUID))
+
+ - Perform the following operations with the GUID before using it in a search request:
+
+ - We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2
+
+ - Take first 3 sections bf967a86-0de6-11d0.
+
+ - For each of these 3 sections you need to change (Invert) the order of bytes, like this 867a96bf-e60d-d011
+
+ - Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-00aa003049e2
+
+ - Delete - : 867a96bfe60dd011a28500aa003049e2
+
+ - Divide bytes with backslashes: \\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2
+
+ - Filter example: (&(objectClass=\*)(schemaIDGUID=\\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2))
+
+ - Scope: Subtree
+
+ - Attributes: schemaIDGUID
+
+
+
+Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here: .
+
+Here is an example of decoding of **Properties** field:
+
+| Properties | Translation |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
+| {bf967a86-0de6-11d0-a285-00aa003049e2} {91e647de-d96f-4b70-9557-d63ff4f3ccd8} {6617e4ac-a2f1-43ab-b60c-11fbd1facf05} {b3f93023-9239-4f7c-b99c-6745d87adbc2} {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} | Computer Private-Information property set ms-PKI-RoamingTimeStamp ms-PKI-DPAPIMasterKeys ms-PKI-AccountCredentials |
+
+**Additional Information:**
+
+- **Parameter 1** \[Type = UnicodeString\]**:** there is no information about this field in this document.
+
+- **Parameter 2** \[Type = UnicodeString\]**:** there is no information about this field in this document.
+
+## Security Monitoring Recommendations
+
+For 4662(S, F): An operation was performed on an object.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor operations attempts to specific Active Directory classes, monitor for **Object Type** field with specific class name. For example, we recommend that you monitor all operations attempts to **domainDNS** class.
+
+- If you need to monitor operations attempts to specific Active Directory objects, monitor for **Object Name** field with specific object name. For example, we recommend that you monitor all operations attempts to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object.
+
+- Some access types are more important to monitor, for example:
+
+ - Write Property
+
+ - Control Access
+
+ - DELETE
+
+ - WRITE\_DAC
+
+ - WRITE\_OWNER
+
+ You can decide to monitor these (or one of these) access types for specific Active Directory objects. To do so, monitor for **Accesses** field with specific access type.
+
+- If you need to monitor operations attempts to specific Active Directory properties, monitor for **Properties** field with specific property GUID.
+
+- Do not forget that **Failure** attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations.
+
diff --git a/windows/keep-secure/event-4663.md b/windows/keep-secure/event-4663.md
new file mode 100644
index 0000000000..46cdac8cb0
--- /dev/null
+++ b/windows/keep-secure/event-4663.md
@@ -0,0 +1,223 @@
+---
+title: 4663(S) An attempt was made to access an object. (Windows 10)
+description: Describes security event 4663(S) An attempt was made to access an object.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4663(S): An attempt was made to access an object.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+This event generates only if object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has required ACE to handle specific access right use.
+
+The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4663
+ 1
+ 0
+ 12800
+ 0
+ 0x8020000000000000
+
+ 273866
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x4367b
+ Security
+ File
+ C:\\Documents\\HBI Data.txt
+ 0x1bc
+ %%4417 %%4418
+ 0x6
+ 0x458
+ C:\\Windows\\System32\\notepad.exe
+ S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:***
+
+- 0 - Windows Server 2008, Windows Vista.
+
+- 1 - Windows Server 2012, Windows 8.
+
+ - Added “Resource Attributes” field.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to access an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to access an object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of object that was accessed during the operation.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can be used for correlation with other events, for example with **Handle ID** field in “[4656](event-4656.md)(S, F): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+- **Resource Attributes** \[Type = UnicodeString\] \[Version 1\]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.
+
+ For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
+
+ - Impact\_MS: Resource Property ***ID***.
+
+ - 3000: Recourse Property ***Value***.
+
+
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that accessed the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were used by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
+
+| Access | Hex Value, Schema Value | Description |
+|----------------------------------------------------------------------------------------|-----------------------------|---------------------|
+| ReadData (or ListDirectory)
(For registry objects, this is “Query key value.”) | 0x1, %%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data. **ListDirectory -** For a directory, the right to list the contents of the directory. |
+| WriteData (or AddFile)
(For registry objects, this is “Set key value.”) | 0x2, %%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**). **AddFile -** For a directory, the right to create a file in the directory. |
+| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4, %%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). **AddSubdirectory -** For a directory, the right to create a subdirectory. **CreatePipeInstance -** For a named pipe, the right to create a pipe. |
+| ReadEA (For registry objects, this is “Enumerate sub-keys.”) | 0x8, %%4419 | The right to read extended file attributes. |
+| WriteEA | 0x10, %%4420 | The right to write extended file attributes. |
+| Execute/Traverse | 0x20, %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter. **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| DeleteChild | 0x40, %%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
+| ReadAttributes | 0x80, %%4423 | The right to read file attributes. |
+| WriteAttributes | 0x100, %%4424 | The right to write file attributes. |
+| DELETE | 0x10000, %%1537 | The right to delete the object. |
+| READ\_CONTROL | 0x20000, %%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
+| WRITE\_DAC | 0x40000, %%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
+| WRITE\_OWNER | 0x80000, %%1540 | The right to change the owner in the object's security descriptor |
+| SYNCHRONIZE | 0x100000, %%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
+| ACCESS\_SYS\_SEC | 0x1000000, %%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
+
+> Table 15. File System objects access rights.
+
+- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table.
+
+## Security Monitoring Recommendations
+
+For 4663(S): An attempt was made to access an object.
+
+For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
+
+For other types of objects, the following recommendations apply.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have critical file system objects for which you need to monitor all access attempts, monitor this event for **Object Name**.
+
+- If you have critical file system objects for which you need to monitor certain access attempts (for example, write actions), monitor this event for **Object Name** in relation to **Access Request Information\\Accesses**.
+
+- If you have file system objects with specific attributes, for which you need to monitor access attempts, monitor this event for **Resource Attributes**.
+
+- If **Object Name** is a sensitive or critical registry key for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4663](event-4663.md) events with the corresponding **Access Request Information\\Accesses**.
+
+
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- For file system objects, we recommend that you monitor for these **Access Request Information\\Accesses** rights:
+
+ - WriteData (or AddFile)
+
+ - AppendData (or AddSubdirectory or CreatePipeInstance)
+
+ - WriteEA
+
+ - DeleteChild
+
+ - WriteAttributes
+
+ - DELETE
+
+ - WRITE\_DAC
+
+ - WRITE\_OWNER
+
diff --git a/windows/keep-secure/event-4664.md b/windows/keep-secure/event-4664.md
new file mode 100644
index 0000000000..a62808d16d
--- /dev/null
+++ b/windows/keep-secure/event-4664.md
@@ -0,0 +1,109 @@
+---
+title: 4664(S) An attempt was made to create a hard link. (Windows 10)
+description: Describes security event 4664(S) An attempt was made to create a hard link.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4664(S): An attempt was made to create a hard link.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File System](audit-file-system.md)
+
+***Event Description:***
+
+This event generates when an NTFS hard link was successfully created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4664
+ 0
+ 0
+ 12800
+ 0
+ 0x8020000000000000
+
+ 276680
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x43659
+ C:\\notepad.exe
+ C:\\Docs\\My.exe
+ {00000000-0000-0000-0000-000000000000}
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to create the hard link. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to create the hard link.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Link Information:**
+
+- **File Name** \[Type = UnicodeString\]**:** the name of a file or folder that new hard link refers to.
+
+- **Link Name** \[Type = UnicodeString\]**:** full path name with new hard link file name.
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 4664(S): An attempt was made to create a hard link.
+
+- We recommend monitoring for any [4664](event-4664.md) event, because this action is not typical for normal operating system behavior and can be a sign of malicious activity.
+
diff --git a/windows/keep-secure/event-4670.md b/windows/keep-secure/event-4670.md
new file mode 100644
index 0000000000..a7de5be046
--- /dev/null
+++ b/windows/keep-secure/event-4670.md
@@ -0,0 +1,274 @@
+---
+title: 4670(S) Permissions on an object were changed. (Windows 10)
+description: Describes security event 4670(S) Permissions on an object were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4670(S): Permissions on an object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Registry](audit-registry.md), [Audit Authentication Policy Change](audit-authentication-policy-change.md), and [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
+
+This event does not generate if the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (Auditing ACL) was changed.
+
+Before this event can generate, certain ACEs might need to be set in the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4670
+ 0
+ 0
+ 13570
+ 0
+ 0x8020000000000000
+
+ 269529
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x43659
+ Security
+ File
+ C:\\Documents\\netcat-1.11
+ 0x3f0
+ D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
+ D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
+ 0xdb0
+ C:\\Windows\\System32\\dllhost.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change object’s permissions” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change object’s permissions” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which permissions were changed. For example, for a file, the path would be included. For Token objects, this field typically equals “-“.
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the permissions were changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Permissions Change:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: , .
+
+## Security Monitoring Recommendations
+
+For 4670(S): Permissions on an object were changed.
+
+For token objects, this is typically an informational event, and at the same time it is difficult to identify which token's permission were changed. For token objects, there are no monitoring recommendations for this event in this document.
+
+For file system and registry objects, the following recommendations apply.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
+
+- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers**.** For example, you could monitor the **ntds.dit** file on domain controllers.
+
diff --git a/windows/keep-secure/event-4671.md b/windows/keep-secure/event-4671.md
new file mode 100644
index 0000000000..c1962e0f68
--- /dev/null
+++ b/windows/keep-secure/event-4671.md
@@ -0,0 +1,21 @@
+---
+title: 4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10)
+description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4671(-): An application attempted to access a blocked ordinal through the TBS.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
diff --git a/windows/keep-secure/event-4672.md b/windows/keep-secure/event-4672.md
new file mode 100644
index 0000000000..bf0fff94de
--- /dev/null
+++ b/windows/keep-secure/event-4672.md
@@ -0,0 +1,149 @@
+---
+title: 4672(S) Special privileges assigned to new logon. (Windows 10)
+description: Describes security event 4672(S) Special privileges assigned to new logon.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4672(S): Special privileges assigned to new logon.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+
+***Event Description:***
+
+This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:
+
+- SeTcbPrivilege - Act as part of the operating system
+
+- SeBackupPrivilege - Back up files and directories
+
+- SeCreateTokenPrivilege - Create a token object
+
+- SeDebugPrivilege - Debug programs
+
+- SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation
+
+- SeAuditPrivilege - Generate security audits
+
+- SeImpersonatePrivilege - Impersonate a client after authentication
+
+- SeLoadDriverPrivilege - Load and unload device drivers
+
+- SeSecurityPrivilege - Manage auditing and security log
+
+- SeSystemEnvironmentPrivilege - Modify firmware environment values
+
+- SeAssignPrimaryTokenPrivilege - Replace a process-level token
+
+- SeRestorePrivilege - Restore files and directories,
+
+- SeTakeOwnershipPrivilege - Take ownership of files or other objects
+
+You typically will see many of these events in the event log, because every logon of SYSTEM (Local System) account triggers this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4672
+ 0
+ 0
+ 12548
+ 0
+ 0x8020000000000000
+
+ 237692
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x671101
+ SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account to which special privileges were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account to which special privileges were assigned.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Privileges** \[Type = UnicodeString\]**:** the list of sensitive privileges, assigned to the new logon. The following table contains the list of possible privileges for this event:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|-------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+
+## Security Monitoring Recommendations
+
+For 4672(S): Special privileges assigned to new logon.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**.
+
+- If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for example, SeDebugPrivilege), use this event to monitor for those “**Privileges**.”
+
+
+
+- If you are required to monitor any of the sensitive privileges in the [Event Description for this event](event-4672.md), search for those specific privileges in the event.
+
diff --git a/windows/keep-secure/event-4673.md b/windows/keep-secure/event-4673.md
new file mode 100644
index 0000000000..5282a6658e
--- /dev/null
+++ b/windows/keep-secure/event-4673.md
@@ -0,0 +1,196 @@
+---
+title: 4673(S, F) A privileged service was called. (Windows 10)
+description: Describes security event 4673(S, F) A privileged service was called.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4673(S, F): A privileged service was called.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This event generates when an attempt was made to perform privileged system service operations.
+
+This event generates, for example, when **SeSystemtimePrivilege**, **SeCreateGlobalPrivilege**, or **SeTcbPrivilege** privilege was used.
+
+Failure event generates when service call attempt fails.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4673
+ 0
+ 0
+ 13056
+ 0
+ 0x8020000000000000
+
+ 1099777
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ NT Local Security Authority / Authentication Service
+ LsaRegisterLogonProcess()
+ SeTcbPrivilege
+ 0x1f0
+ C:\\Windows\\System32\\lsass.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Service**:
+
+- **Server** \[Type = UnicodeString\]: contains the name of the Windows subsystem calling the routine. Subsystems examples are:
+
+ - Security
+
+ - Security Account Manager
+
+ - NT Local Security Authority / Authentication Service
+
+ - SC Manager
+
+ - Win32 SystemShutdown module
+
+ - LSA
+
+- **Service Name** \[Type = UnicodeString\] \[Optional\]: supplies a name of the privileged subsystem service or function. For example, "RESET RUNTIME LOCAL SECURITY" might be specified by a **Local Security Authority** service used to update the local security policy database or **LsaRegisterLogonProcess()** might be specified by a **NT Local Security Authority / Authentication Service** used to register new logon process.
+
+**Process:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to call the privileged service. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Service Request Information**:
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
+
+| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** |
+|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege: **Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege: **Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege: **Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege: **Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege: **Create symbolic links | Required to create a symbolic link. |
+| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege: **Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege: **Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege: **Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege: **Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege: **Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege: **Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege: **Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege: **Modify an object label | Required to modify the mandatory integrity level of an object. |
+| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege: **Force shutdown from a remote system | Required to shut down a system using a network request. |
+| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege: **Shut down the system | Required to shut down a local system. |
+| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege: **Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege: **Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege: **Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege: **Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege: **Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| Audit Non Sensitive Privilege Use | **SeUndockPrivilege: **Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+
+| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** |
+|-------------------------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege: **Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | **SeAuditPrivilege: **Generate security audits | With this privilege, the user can add entries to the security log. |
+| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege: **Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| Audit Sensitive Privilege Use | **SeDebugPrivilege: **Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| Audit Sensitive Privilege Use | **SeImpersonatePrivilege: **Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege: **Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege: **Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege: **Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| Audit Sensitive Privilege Use | **SeTcbPrivilege: **Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| Audit Sensitive Privilege Use | **SeEnableDelegationPrivilege: **Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+
+## Security Monitoring Recommendations
+
+For 4673(S, F): A privileged service was called.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events.
+
+- If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.”
+
+- If you need to monitor events related to specific Windows security services or functions (“**Service\\Service Name**”), for example **LsaRegisterLogonProcess()**, monitor this event for the corresponding “**Service\\Service Name**.”
+
+
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- For a specific “**Subject\\Security ID**,” if there is a defined list of allowed privileges, monitor for “**Privileges**” that it should not be able to use.
+
+- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
+
+- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
+
diff --git a/windows/keep-secure/event-4674.md b/windows/keep-secure/event-4674.md
new file mode 100644
index 0000000000..41518d4e2b
--- /dev/null
+++ b/windows/keep-secure/event-4674.md
@@ -0,0 +1,224 @@
+---
+title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10)
+description: Describes security event 4674(S, F) An operation was attempted on a privileged object.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4674(S, F): An operation was attempted on a privileged object.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
+
+This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.
+
+Failure event generates when operation attempt fails.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4674
+ 0
+ 0
+ 13056
+ 0
+ 0x8010000000000000
+
+ 1099680
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-19
+ LOCAL SERVICE
+ NT AUTHORITY
+ 0x3e5
+ LSA
+ -
+ -
+ 0x0
+ 16777216
+ SeSecurityPrivilege
+ 0x1f0
+ C:\\Windows\\System32\\lsass.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\] \[Optional\]: Contains the name of the Windows subsystem calling the routine. Subsystems examples are:
+
+ - Security
+
+ - Security Account Manager
+
+ - NT Local Security Authority / Authentication Service
+
+ - SC Manager
+
+ - Win32 SystemShutdown module
+
+ - LSA
+
+- **Object Type** \[Type = UnicodeString\] \[Optional\]: The type of an object that was accessed during the operation.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | SC\_MANAGER OBJECT |
+| Key | WaitablePort | Callback | |
+| Job | Port | FilterConnectionPort | |
+| ALPC Port | Semaphore | Adapter | |
+
+- **Object Name** \[Type = UnicodeString\] \[Optional\]: the name of the object that was accessed during the operation.
+
+- **Object Handle** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle to an object was requested” event in appropriate/other subcategory. This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the operation on the privileged object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Requested Operation**:
+
+- **Desired Access** \[Type = UnicodeString\]: The desired access mask. This mask depends on **Object Server** and **Object Type** parameters values. The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If **Desired Access** is not presented, then this parameter will have “**0**” value.
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
+
+| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** |
+|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege: **Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege: **Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege: **Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege: **Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege: **Create symbolic links | Required to create a symbolic link. |
+| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege: **Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege: **Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege: **Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege: **Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege: **Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege: **Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege: **Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege: **Modify an object label | Required to modify the mandatory integrity level of an object. |
+| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege: **Force shutdown from a remote system | Required to shut down a system using a network request. |
+| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege: **Shut down the system | Required to shut down a local system. |
+| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege: **Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege: **Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege: **Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege: **Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege: **Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| Audit Non Sensitive Privilege Use | **SeUndockPrivilege: **Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+
+| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** |
+|-------------------------------|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege: **Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | **SeAuditPrivilege: **Generate security audits | With this privilege, the user can add entries to the security log. |
+| Audit Sensitive Privilege Use | **SeBackupPrivilege: **Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege: **Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| Audit Sensitive Privilege Use | **SeDebugPrivilege: **Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| Audit Sensitive Privilege Use | **SeImpersonatePrivilege: **Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege: **Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege: **Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Sensitive Privilege Use | **SeRestorePrivilege: **Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| Audit Sensitive Privilege Use | **SeSecurityPrivilege: **Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege: **Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| Audit Sensitive Privilege Use | **SeTakeOwnershipPrivilege: **Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+
+## Security Monitoring Recommendations
+
+For 4674(S, F): An operation was attempted on a privileged object.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events.
+
+
+
+- If you need to monitor events related to specific Windows subsystems (“**Object Server**”), for example **LSA** or **Security Account Manager**, monitor this event for the corresponding “**Object Server**.”
+
+- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+
+
+- If you know that specific “**Subject\\Security ID**” should only be able to use the privileges in a pre-defined list, monitor for events in which “**Subject\\Security ID**” used “**Privileges**” that are not on that list.
+
+
+
+- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
+
+- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
+
diff --git a/windows/keep-secure/event-4675.md b/windows/keep-secure/event-4675.md
new file mode 100644
index 0000000000..dc8a19e120
--- /dev/null
+++ b/windows/keep-secure/event-4675.md
@@ -0,0 +1,61 @@
+---
+title: 4675(S) SIDs were filtered. (Windows 10)
+description: Describes security event 4675(S) SIDs were filtered.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4675(S): SIDs were filtered.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates when SIDs were filtered for specific Active Directory trust.
+
+See more information about SID filtering here: .
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Schema:***
+
+*SIDs were filtered.*
+
+*Target Account:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+
+*Trust Information:*
+
+> *Trust Direction:%4*
+>
+> *Trust Attributes:%5*
+>
+> *Trust Type:%6*
+>
+> *TDO Domain SID:%7*
+>
+> *Filtered SIDs:%8*
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- If you need to monitor all SID filtering events/operations for specific or all Active Directory trusts, you can use this event to get all required information.
+
diff --git a/windows/keep-secure/event-4688.md b/windows/keep-secure/event-4688.md
new file mode 100644
index 0000000000..b152e305fb
--- /dev/null
+++ b/windows/keep-secure/event-4688.md
@@ -0,0 +1,212 @@
+---
+title: 4688(S) A new process has been created. (Windows 10)
+description: Describes security event 4688(S) A new process has been created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4688(S): A new process has been created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
+
+***Event Description:***
+
+This event generates every time a new process starts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4688
+ 2
+ 0
+ 13312
+ 0
+ 0x8020000000000000
+
+ 2814
+
+
+ Security
+ WIN-GG82ULGC9GO.contoso.local
+
+
+-
+ S-1-5-18
+ WIN-GG82ULGC9GO$
+ CONTOSO
+ 0x3e7
+ 0x2bc
+ C:\\Windows\\System32\\rundll32.exe
+ %%1938
+ 0xe74
+
+ S-1-5-21-1377283216-344919071-3415362939-1104
+ dadmin
+ CONTOSO
+ 0x4a5af0
+ C:\\Windows\\explorer.exe
+ S-1-16-8192
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:***
+
+- 0 - Windows Server 2008, Windows Vista.
+
+- 1 - Windows Server 2012 R2, Windows 8.1.
+
+ - Added “Process Command Line” field.
+
+- 2 - Windows 10.
+
+ - **Subject** renamed to **Creator Subject**.
+
+ - Added “**Target Subject**” section.
+
+ - Added “**Mandatory Label**” field.
+
+ - Added “**Creator Process Name**” field.
+
+***Field Descriptions:***
+
+**Creator Subject** \[Value for versions 0 and 1 – **Subject**\]**:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “create process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create process” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Subject** \[Version 2\]**:**
+
+> **Note** This event includes the principal of the process creator, but this is not always sufficient if the target context is different from the creator context. In that situation, the subject specified in the process termination event does not match the subject in the process creation event even though both events refer to the same process ID. Therefore, in addition to including the creator of the process, we will also include the target principal when the creator and target do not share the same logon.
+
+- **Security ID** \[Type = SID\] \[Version 2\]**:** SID of target account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\] \[Version 2\]**:** the name of the target account.
+
+- **Account Domain** \[Type = UnicodeString\] \[Version 2\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\] \[Version 2\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Process Information:**
+
+- **New Process ID** \[Type = Pointer\]: hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
+
+- **Token Elevation Type** \[Type = UnicodeString\]**: **
+
+ - **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
+
+ - **TokenElevationTypeFull (2):** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
+
+ - **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
+
+- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx) which was assigned to the new process. Can have one of the following values:
+
+| SID | RID | RID label | Meaning |
+|--------------|------------|----------------------------------------------|------------------------|
+| S-1-16-0 | 0x00000000 | SECURITY\_MANDATORY\_UNTRUSTED\_RID | Untrusted. |
+| S-1-16-4096 | 0x00001000 | SECURITY\_MANDATORY\_LOW\_RID | Low integrity. |
+| S-1-16-8192 | 0x00002000 | SECURITY\_MANDATORY\_MEDIUM\_RID | Medium integrity. |
+| S-1-16-8448 | 0x00002100 | SECURITY\_MANDATORY\_MEDIUM\_PLUS\_RID | Medium high integrity. |
+| S-1-16-12288 | 0X00003000 | SECURITY\_MANDATORY\_HIGH\_RID | High integrity. |
+| S-1-16-16384 | 0x00004000 | SECURITY\_MANDATORY\_SYSTEM\_RID | System integrity. |
+| S-1-16-20480 | 0x00005000 | SECURITY\_MANDATORY\_PROTECTED\_PROCESS\_RID | Protected process. |
+
+- **Creator Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Creator Process Name** \[Version 2\] \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable “Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events” group policy to include command line in process creation events:
+
+
+
+ By default **Process Command Line** field is empty.
+
+## Security Monitoring Recommendations
+
+For 4688(S): A new process has been created.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Creator Subject\\Security ID”** and **“Target Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** for names that don’t comply with naming conventions. |
+
+- If you have a pre-defined “**New** **Process Name**” or **“Creator Process Name**” for the process reported in this event, monitor all events with “**New** **Process Name**” or **“Creator Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**New** **Process Name**” or **“Creator Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example “**mimikatz**” or “**cain.exe**”), check for these substrings in “**New** **Process Name**” or **“Creator Process Name**.”
+
+- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
+
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol**.** Typically this means that UAC is disabled for this account for some reason.
+
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol**.** This means that a user ran a program using administrative privileges.
+
+- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
+
+- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the “**Mandatory Label**” in this event.
+
diff --git a/windows/keep-secure/event-4689.md b/windows/keep-secure/event-4689.md
new file mode 100644
index 0000000000..e5f97fe698
--- /dev/null
+++ b/windows/keep-secure/event-4689.md
@@ -0,0 +1,119 @@
+---
+title: 4689(S) A process has exited. (Windows 10)
+description: Describes security event 4689(S) A process has exited.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4689(S): A process has exited.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Process Termination](audit-process-termination.md)
+
+***Event Description:***
+
+This event generates every time a process has exited.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4689
+ 0
+ 0
+ 13313
+ 0
+ 0x8020000000000000
+
+ 187030
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x31365
+ 0x0
+ 0xfb0
+ C:\\Windows\\System32\\notepad.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “terminate process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “terminate process” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the ended/terminated process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md)(S): A new process has been created” **New Process ID** on this computer.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the executable name of the exited/terminated process.
+
+- **Exit Status** \[Type = HexInt32\]**:** hexadecimal exit code of exited/terminated process. This exit code is unique for every application, check application documentation for more details. The exit code value for a process reflects the specific convention implemented by the application developer for that process.
+
+## Security Monitoring Recommendations
+
+For 4689(S): A process has exited.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a critical processes list for the computer, with the requirement that these processes must always run and not stop, you can monitor **Process Name** field in [4689](event-4689.md) events for these process names.
+
diff --git a/windows/keep-secure/event-4690.md b/windows/keep-secure/event-4690.md
new file mode 100644
index 0000000000..d7ac11d773
--- /dev/null
+++ b/windows/keep-secure/event-4690.md
@@ -0,0 +1,118 @@
+---
+title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10)
+description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4690(S): An attempt was made to duplicate a handle to an object.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Handle Manipulation](audit-handle-manipulation.md)
+
+***Event Description:***
+
+This event generates if an attempt was made to duplicate a handle to an object.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4690
+ 0
+ 0
+ 12807
+ 0
+ 0x8020000000000000
+
+ 338632
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ 0x438
+ 0x674
+ 0xd9c
+ 0x4
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to duplicate a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to duplicate a handle to an object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Source Handle Information:**
+
+- **Source Handle ID** \[Type = Pointer\]: hexadecimal value of a handle which was duplicated. This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
+
+- **Source Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Source Handle ID** before it was duplicated. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+**New Handle Information:**
+
+- **Target Handle ID** \[Type = Pointer\]: hexadecimal value of the new handle (the copy of **Source Handle ID**). This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
+
+- **Target Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Target Handle ID**. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
+
+## Security Monitoring Recommendations
+
+For 4690(S): An attempt was made to duplicate a handle to an object.
+
+- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
+
+- This event can be used to track all actions or operations related to a specific object handle.
+
diff --git a/windows/keep-secure/event-4691.md b/windows/keep-secure/event-4691.md
new file mode 100644
index 0000000000..ba22553755
--- /dev/null
+++ b/windows/keep-secure/event-4691.md
@@ -0,0 +1,135 @@
+---
+title: 4691(S) Indirect access to an object was requested. (Windows 10)
+description: Describes security event 4691(S) Indirect access to an object was requested.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4691(S): Indirect access to an object was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event indicates that indirect access to an object was requested.
+
+These events are generated for [ALPC Ports](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964738(v=vs.85).aspx) access request actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4691
+ 0
+ 0
+ 12804
+ 0
+ 0x8020000000000000
+
+ 344382
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x36509
+ ALPC Port
+ \\Sessions\\2\\Windows\\DwmApiPort
+ %%4464
+ 0x1
+ 0xe60
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested an access to the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested an access to the object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object for which access was requested.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Object Name** \[Type = UnicodeString\]: full path and name of the object for which access was requested.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+**Access Request Information:**
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use or other informational resources.
+
+- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about ALPC ports access rights, use or other informational resources.
+
+## Security Monitoring Recommendations
+
+For 4691(S): Indirect access to an object was requested.
+
+- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
+
diff --git a/windows/keep-secure/event-4692.md b/windows/keep-secure/event-4692.md
new file mode 100644
index 0000000000..aba10585e3
--- /dev/null
+++ b/windows/keep-secure/event-4692.md
@@ -0,0 +1,126 @@
+---
+title: 4692(S, F) Backup of data protection master key was attempted. (Windows 10)
+description: Describes security event 4692(S, F) Backup of data protection master key was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4692(S, F): Backup of data protection master key was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Description:***
+
+This event generates every time that a backup is attempted for the [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key.
+
+When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
+
+Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
+
+This event also generates every time a new DPAPI Master Key is generated, for example.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Failure event generates when a Master Key backup operation fails for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4692
+ 0
+ 0
+ 13314
+ 0
+ 0x8020000000000000
+
+ 176964
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-500
+ ladmin
+ CONTOSO
+ 0x30c08
+ 16cfaea0-dbe3-4d92-9523-d494edb546bc
+
+ 806a0350-aeb1-4c56-91f9-ef16cf759291
+ 0x0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested backup operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Key Information:**
+
+- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is it’s ID.
+
+- **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
+
+- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In this field you will see unique Recovery key ID which was used for Master key backup operation.
+
+ For Failure events this field is typically empty.
+
+**Status Information:**
+
+- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
+
+> \[Net helpmsg 58 illustration](images/net-helpmsg-58.png)
+
+## Security Monitoring Recommendations
+
+For 4692(S, F): Backup of data protection master key was attempted.
+
+- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-4693.md b/windows/keep-secure/event-4693.md
new file mode 100644
index 0000000000..3134110a5c
--- /dev/null
+++ b/windows/keep-secure/event-4693.md
@@ -0,0 +1,127 @@
+---
+title: 4693(S, F) Recovery of data protection master key was attempted. (Windows 10)
+description: Describes security event 4693(S, F) Recovery of data protection master key was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4693(S, F): Recovery of data protection master key was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Description:***
+
+This event generates every time that recovery is attempted for a [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key.
+
+While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Failure event generates when a Master Key restore operation fails for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4693
+ 0
+ 0
+ 13314
+ 0
+ 0x8020000000000000
+
+ 175809
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d7c
+ 0445c766-75f0-4de7-82ad-d9d97aad59f6
+ 0x5c005c
+ DC01.contoso.local
+
+ 0x380000
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “recover” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “recover” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Key Information:**
+
+- **Key Identifier** \[Type = UnicodeString\]**:** unique identifier of a master key which was recovered. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is it’s ID.
+
+- **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to recover your Master Key. For domain joined machines, it’s typically a name of a domain controller.
+
+> **Note** In this event Recovery Server field contains information from Recovery Reason field.
+
+- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In this field you will see unique Recovery key ID which was used for Master key recovery operation. This parameter might not be captured in the event, and in that case will be empty.
+
+- **Recovery Reason** \[Type = HexInt32\]: hexadecimal code of recovery reason.
+
+> **Note** In this event Recovery Reason field contains information from Recovery Server field.
+
+**Status Information:**
+
+- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code. For Success events this field is typically “**0x380000**”.
+
+## Security Monitoring Recommendations
+
+For 4693(S, F): Recovery of data protection master key was attempted.
+
+- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
+
+- For domain joined computers, **Recovery Reason** should typically be a domain controller DNS name.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-4694.md b/windows/keep-secure/event-4694.md
new file mode 100644
index 0000000000..ebd12e3f78
--- /dev/null
+++ b/windows/keep-secure/event-4694.md
@@ -0,0 +1,63 @@
+---
+title: 4694(S, F) Protection of auditable protected data was attempted. (Windows 10)
+description: Describes security event 4694(S, F) Protection of auditable protected data was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4694(S, F): Protection of auditable protected data was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates if [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) [**CryptProtectData**](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Schema:***
+
+*Protection of auditable protected data was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Protected Data:*
+
+> *Data Description:%6*
+>
+> *Key Identifier:%5*
+>
+> *Protected Data Flags:%7*
+>
+> *Protection Algorithms:%8*
+
+*Status Information:*
+
+> *Status Code:%9*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
+- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
+
diff --git a/windows/keep-secure/event-4695.md b/windows/keep-secure/event-4695.md
new file mode 100644
index 0000000000..48d9dd1dc6
--- /dev/null
+++ b/windows/keep-secure/event-4695.md
@@ -0,0 +1,63 @@
+---
+title: 4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10)
+description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4695(S, F): Unprotection of auditable protected data was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates if [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) [CryptUnprotectData](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380882(v=vs.85).aspx)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Schema:***
+
+*Unprotection of auditable protected data was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Protected Data:*
+
+> *Data Description:%6*
+>
+> *Key Identifier:%5*
+>
+> *Protected Data Flags:%7*
+>
+> *Protection Algorithms:%8*
+
+*Status Information:*
+
+> *Status Code:%9*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
+- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
+
diff --git a/windows/keep-secure/event-4696.md b/windows/keep-secure/event-4696.md
new file mode 100644
index 0000000000..e4746f74c9
--- /dev/null
+++ b/windows/keep-secure/event-4696.md
@@ -0,0 +1,163 @@
+---
+title: 4696(S) A primary token was assigned to process. (Windows 10)
+description: Describes security event 4696(S) A primary token was assigned to process.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4696(S): A primary token was assigned to process.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
+
+***Event Description:***
+
+This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.
+
+***IMPORTANT*:** this event is deprecated starting from Windows 7 and Windows 2008 R2.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4696
+ 0
+ 0
+ 13312
+ 0
+ 0x8020000000000000
+
+ 561
+
+
+ Security
+ Win2008.contoso.local
+
+
+-
+ S-1-5-18
+ WIN2008$
+ CONTOSO
+ 0x3e7
+ S-1-5-18
+ dadmin
+ CONTOSO
+ 0x1c8c5
+ 0xf40
+ C:\\Windows\\System32\\WerFault.exe
+ 0x698
+ C:\\Windows\\System32\\svchost.exe
+
+
+
+```
+
+***Required Server Roles:*** this event is deprecated starting from Windows 7 and Windows 2008 R2.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “assign token to process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “assign token to process” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which started the new process with the new security token. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]: full path and the name of the executable for the process which ran the new process with new security token.
+
+**Target Process:**
+
+- **Target Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the new process with new security token. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Target Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
+
+**New Token Information:**
+
+- **Security ID** \[Type = SID\]**:** SID of account through which the security token will be assigned to the new process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account through which the security token will be assigned to the new process.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+## Security Monitoring Recommendations
+
+For 4696(S): A primary token was assigned to process.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Subject\\Security ID”** or **“New Token Information\\Security ID”** for names that don’t comply with naming conventions. |
+
+- If you have a pre-defined “**Process Name**” or “**Target Process Name**” for the process reported in this event, monitor all events with “**Process Name**” or “**Target Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” or “**Target Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**” or “**Target Process Name**”.
+
+- It can be uncommon if process runs using local account.
+
diff --git a/windows/keep-secure/event-4697.md b/windows/keep-secure/event-4697.md
new file mode 100644
index 0000000000..0213aa9f0a
--- /dev/null
+++ b/windows/keep-secure/event-4697.md
@@ -0,0 +1,156 @@
+---
+title: 4697(S) A service was installed in the system. (Windows 10)
+description: Describes security event 4697(S) A service was installed in the system.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4697(S): A service was installed in the system.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates when new service was installed in the system.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4697
+ 0
+ 0
+ 12289
+ 0
+ 0x8020000000000000
+
+ 2778
+
+
+ Security
+ WIN-GG82ULGC9GO.contoso.local
+
+
+-
+ S-1-5-18
+ WIN-GG82ULGC9GO$
+ CONTOSO
+ 0x3e7
+ AppHostSvc
+ %windir%\\system32\\svchost.exe -k apphost
+ 0x20
+ 2
+ localSystem
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2016, Windows 10.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was used to install the service. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was used to install the service.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Service Information:**
+
+- **Service Name** \[Type = UnicodeString\]: the name of installed service.
+
+
+
+- **Service File Name** \[Type = UnicodeString\]: This is the fully rooted path to the file that the Service Control Manager will execute to start the service. If command-line parameters are specified as part of the image path, those are logged.
+
+ Note that this is the path to the file when the service is created. If the path is changed afterwards, the change is not logged. This would have to be tracked via Process Create events.
+
+- **Service Type** \[Type = HexInt32\]: Indicates the [type](https://msdn.microsoft.com/en-us/library/tfdtdw0e(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following:
+
+| Value | Service Type | Description |
+|-------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x1 | Kernel Driver | A Kernel device driver such as a hard disk or other low-level hardware device driver. |
+| 0x2 | File System Driver | A file system driver, which is also a Kernel device driver. |
+| 0x8 | Recognizer Driver | A file system driver used during startup to determine the file systems present on the system. |
+| 0x10 | Win32 Own Process | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
+| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services. (see: |
+| 0x110 | Interactive Own Process | A service that should be run as a standalone process and can communicate with the desktop. (see: ) |
+| 0x120 | Interactive Share Process | A service that can share address space with other services of the same type and can communicate with the desktop. |
+
+- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: :
+
+| Value | Service Type | Description |
+|-------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Boot | A device driver started by the system loader. This value is valid only for driver services. |
+| 1 | System | A device driver started by the IoInitSystem() function. This value is valid only for driver services. |
+| 2 | Automatic | A service started automatically by the service control manager during system startup. |
+| 2 | Automatic Delayed | A service started after all auto-start services have started, plus a delay. Delayed Auto Start services are started one at a time in a serial fashion. |
+| 3 | Manual | Manual start. A service started by the service control manager when a process calls the StartService function. |
+| 4 | Disabled | A service that cannot be started. Attempts to start the service result in the error code ERROR\_SERVICE\_DISABLED. |
+
+Most services installed are configured to **Auto Load**, so that they start automatically after Services.exe process is started.
+
+- **Service Account** \[Type = UnicodeString\]: The security context that the service will run as when started. Note that this is what was configured when the service was installed, if the account is changed later that is not logged.
+
+ The service account parameter is only populated if the service type is a "Win32 Own Process" or "Win32 Share Process" (displayed as "User Mode Service."). Kernel drivers do not have a service account name logged.
+
+ If a service (Win32 Own/Share process) is installed but no account is supplied, then LocalSystem is used.
+
+ The token performing the logon is inspected, and if it has a SID then that SID value is populated in the event (in the System/Security node), if not, then it is blank.
+
+## Security Monitoring Recommendations
+
+For 4697(S): A service was installed in the system.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring for this event, especially on high value assets or computers, because a new service installation should be planned and expected. Unexpected service installation should trigger an alert.
+
+- Monitor for all events where **“Service File Name”** is not located in **%windir%** or **“Program Files/Program Files (x86)”** folders. Typically new services are located in these folders.
+
+
+
+- Report all “**Service Type**” equals “**0x1**”, “**0x2**” or “**0x8**”. These service types start first and have almost unlimited access to the operating system from the beginning of operating system startup. These types are very rarely installed.
+
+- Report all “**Service Start Type**” equals “**0**” or “**1**”. These service start types are used by drivers, which have unlimited access to the operating system.
+
+- Report all “**Service Start Type**” equals “**4**”. It is not common to install a new service in the **Disabled** state.
+
+- Report all “**Service Account**” not equals “**localSystem**”, “**localService**” or “**networkService**” to identify services which are running under a user account.
+
diff --git a/windows/keep-secure/event-4698.md b/windows/keep-secure/event-4698.md
new file mode 100644
index 0000000000..5d522281cb
--- /dev/null
+++ b/windows/keep-secure/event-4698.md
@@ -0,0 +1,110 @@
+---
+title: 4698(S) A scheduled task was created. (Windows 10)
+description: Describes security event 4698(S) A scheduled task was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4698(S): A scheduled task was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a new scheduled task is created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4698
+ 0
+ 0
+ 12804
+ 0
+ 0x8020000000000000
+
+ 344740
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x364eb
+ \\Microsoft\\StartListener
+ 2015-09-22T19:03:06.9258653CONTOSO\\dadminLeastPrivilegeCONTOSO\\dadminInteractiveTokenIgnoreNewtruetruetruefalsefalsetruefalsetruetruefalsefalsefalseP3D7C:\\Documents\\listener.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “create scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create scheduled task” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Task Information**:
+
+- **Task Name** \[Type = UnicodeString\]**:** new scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
+
+
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx).”
+
+## Security Monitoring Recommendations
+
+For 4698(S): A scheduled task was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring all scheduled task creation events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
+
+- Monitor for new tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
+
+- In the new task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
+
diff --git a/windows/keep-secure/event-4699.md b/windows/keep-secure/event-4699.md
new file mode 100644
index 0000000000..a1c58890d6
--- /dev/null
+++ b/windows/keep-secure/event-4699.md
@@ -0,0 +1,110 @@
+---
+title: 4699(S) A scheduled task was deleted. (Windows 10)
+description: Describes security event 4699(S) A scheduled task was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4699(S): A scheduled task was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task was deleted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4699
+ 0
+ 0
+ 12804
+ 0
+ 0x8020000000000000
+
+ 344827
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x364eb
+ \\Microsoft\\My
+ 2015-08-25T13:56:10.5315552CONTOSO\\dadminLeastPrivilegeCONTOSO\\dadminPasswordIgnoreNewfalsetruefalsefalsefalsetruefalsetruetruefalsefalsefalsePT0S7C:\\Windows\\notepad.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete scheduled task” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Task Information**:
+
+- **Task Name** \[Type = UnicodeString\]**:** deleted scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
+
+
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the deleted task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4699(S): A scheduled task was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring all scheduled task deletion events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions. However, this event does not often happen.
+
+- Monitor for deleted tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node. Deletion of such tasks can be a sign of malicious activity.
+
+- If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for [4699](event-4699.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4700.md b/windows/keep-secure/event-4700.md
new file mode 100644
index 0000000000..fa5a54c164
--- /dev/null
+++ b/windows/keep-secure/event-4700.md
@@ -0,0 +1,106 @@
+---
+title: 4700(S) A scheduled task was enabled. (Windows 10)
+description: Describes security event 4700(S) A scheduled task was enabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4700(S): A scheduled task was enabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task is enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4700
+ 0
+ 0
+ 12804
+ 0
+ 0x8020000000000000
+
+ 344861
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x364eb
+ \\Microsoft\\StartListener
+ 2015-09-22T19:03:06.9258653CONTOSO\\dadminLeastPrivilegeCONTOSO\\dadminInteractiveTokenIgnoreNewtruetruetruefalsefalsetruefalsetruetruefalsefalsefalseP3D7C:\\Documents\\listener.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable scheduled task” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Task Information**:
+
+- **Task Name** \[Type = UnicodeString\]**:** enabled scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
+
+
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the enabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4700(S): A scheduled task was enabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled, monitor for [4700](event-4700.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4701.md b/windows/keep-secure/event-4701.md
new file mode 100644
index 0000000000..5c1cafe14f
--- /dev/null
+++ b/windows/keep-secure/event-4701.md
@@ -0,0 +1,106 @@
+---
+title: 4701(S) A scheduled task was disabled. (Windows 10)
+description: Describes security event 4701(S) A scheduled task was disabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4701(S): A scheduled task was disabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task is disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4701
+ 0
+ 0
+ 12804
+ 0
+ 0x8020000000000000
+
+ 344860
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x364eb
+ \\Microsoft\\StartListener
+ 2015-09-22T19:03:06.9258653CONTOSO\\dadminLeastPrivilegeCONTOSO\\dadminInteractiveTokenIgnoreNewtruetruetruefalsefalsetruefalsetruefalsefalsefalsefalseP3D7C:\\Documents\\listener.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable scheduled task” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Task Information**:
+
+- **Task Name** \[Type = UnicodeString\]**:** disabled scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
+
+
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the disabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4701(S): A scheduled task was disabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for [4701](event-4701.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4702.md b/windows/keep-secure/event-4702.md
new file mode 100644
index 0000000000..3d0071fd39
--- /dev/null
+++ b/windows/keep-secure/event-4702.md
@@ -0,0 +1,108 @@
+---
+title: 4702(S) A scheduled task was updated. (Windows 10)
+description: Describes security event 4702(S) A scheduled task was updated.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4702(S): A scheduled task was updated.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time scheduled task was updated/changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4702
+ 0
+ 0
+ 12804
+ 0
+ 0x8020000000000000
+
+ 344863
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x364eb
+ \\Microsoft\\StartListener
+ 2015-09-22T19:03:06.9258653CONTOSO\\dadminHighestAvailableCONTOSO\\dadminInteractiveTokenIgnoreNewtruetruetruefalsefalsetruefalsetruetruefalsefalsefalseP3D7C:\\Documents\\listener.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change/update scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change/update scheduled task” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Task Information**:
+
+- **Task Name** \[Type = UnicodeString\]**:** updated/changed scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
+
+
+
+- **Task New Content** \[Type = UnicodeString\]: the new [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) for the updated task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4702(S): A scheduled task was updated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Monitor for updated scheduled tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
+
+- In the updated scheduled task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
+
diff --git a/windows/keep-secure/event-4703.md b/windows/keep-secure/event-4703.md
new file mode 100644
index 0000000000..4b6ac99faa
--- /dev/null
+++ b/windows/keep-secure/event-4703.md
@@ -0,0 +1,194 @@
+---
+title: 4703(S) A user right was adjusted. (Windows 10)
+description: Describes security event 4703(S) A user right was adjusted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4703(S): A user right was adjusted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+Token privileges provide the ability to take certain system-level actions that you only need to do at particular moments. For example, anybody can restart a computer, but the operating system doesn’t enable that privilege by default. Instead, the privilege is enabled when you click **Shutdown**. You can check the current state of the user’s token privileges using the **whoami /priv** command:
+
+
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4703
+ 0
+ 0
+ 13570
+ 0
+ 0x8020000000000000
+
+ 5245
+
+
+ Security
+ WIN-GG82ULGC9GO.contoso.local
+
+
+-
+ S-1-5-18
+ WIN-GG82ULGC9GO$
+ CONTOSO
+ 0x3e7
+ S-1-5-18
+ WIN-GG82ULGC9GO$
+ CONTOSO
+ 0x3e7
+ C:\\Windows\\System32\\svchost.exe
+ 0x270
+ SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2016, Windows 10.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable” or “disable” operation for **Target Account** privileges. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable” or “disable” operation for **Target Account** privileges.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of account for which privileges were enabled or disabled. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which privileges were enabled or disabled.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that enabled or disabled token privileges. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+
+
+- **Enabled Privileges** \[Type = UnicodeString\]**:** the list of enabled user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
+| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
+| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
+| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
+| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| SeSystemtimePrivilege | Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+
+**Disabled Privileges** \[Type = UnicodeString\]**:** the list of disabled user rights. See possible values in the table above.
+
+## Security Monitoring Recommendations
+
+For 4703(S): A user right was adjusted.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. |
+| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers. For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
diff --git a/windows/keep-secure/event-4704.md b/windows/keep-secure/event-4704.md
new file mode 100644
index 0000000000..ee98fd4712
--- /dev/null
+++ b/windows/keep-secure/event-4704.md
@@ -0,0 +1,156 @@
+---
+title: 4704(S) A user right was assigned. (Windows 10)
+description: Describes security event 4704(S) A user right was assigned.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4704(S): A user right was assigned.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local user right policy is changed and user right was assigned to an account.
+
+You will see unique event for every user.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4704
+ 0
+ 0
+ 13570
+ 0
+ 0x8020000000000000
+
+ 1049866
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ SeAuditPrivilege SeIncreaseWorkingSetPrivilege
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to local user right policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local user right policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+**New Right: **
+
+- **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
+| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
+| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
+| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
+| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| SeSystemtimePrivilege | Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+
+
+## Security Monitoring Recommendations
+
+For 4704(S): A user right was assigned.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. |
+| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the “**New Right\\User Right**” to your list of user rights, to see whether the right should be assigned to **“Target Account\\Account Name**.” Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers. For example, your list of restricted rights might say that only administrative accounts should have **SeAuditPrivilege**. As another example, your list might say that no accounts should have **SeTcbPrivilege** or **SeDebugPrivilege**. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
diff --git a/windows/keep-secure/event-4705.md b/windows/keep-secure/event-4705.md
new file mode 100644
index 0000000000..7a5f1008fc
--- /dev/null
+++ b/windows/keep-secure/event-4705.md
@@ -0,0 +1,155 @@
+---
+title: 4705(S) A user right was removed. (Windows 10)
+description: Describes security event 4705(S) A user right was removed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4705(S): A user right was removed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local user right policy is changed and user right was removed from an account.
+
+You will see unique event for every user.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4705
+ 0
+ 0
+ 13570
+ 0
+ 0x8020000000000000
+
+ 1049867
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ SeTimeZonePrivilege
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to local user right policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local user right policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+**Removed Right: **
+
+- **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
+| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
+| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
+| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
+| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| SeSystemtimePrivilege | Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+
+## Security Monitoring Recommendations
+
+For 4705(S): A user right was removed.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. If you have specific user rights policies, for example, a whitelist of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected. For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights. As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer). For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. |
+| **User rights that should be restricted**: You might have a list of user rights that you want to monitor. | Monitor this event and compare the **“Removed Right”** to your list of restricted rights. Monitor this event to discover the removal of a right that should never have been granted (for example, SeTcbPrivilege), so that you can investigate further. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md
new file mode 100644
index 0000000000..c6eba5f6a8
--- /dev/null
+++ b/windows/keep-secure/event-4706.md
@@ -0,0 +1,149 @@
+---
+title: 4706(S) A new trust was created to a domain. (Windows 10)
+description: Describes security event 4706(S) A new trust was created to a domain.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4706(S): A new trust was created to a domain.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when a new trust was created to a domain.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4706
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049759
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ corp.contoso.local
+ S-1-5-21-2226861337-2836268956-2433141405
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3e99d6
+ 2
+ 3
+ 32
+ %%1796
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “create domain trust” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create domain trust” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Trusted Domain:**
+
+- **Domain Name** \[Type = UnicodeString\]**:** the name of new trusted domain.
+
+- **Domain ID** \[Type = SID\]**:** SID of new trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+**Trust Information:**
+
+- **Trust Type** \[Type = UInt32\]**:** the type of new trust. The following table contains possible values for this field:
+
+| Value | Attribute Value | Description |
+|-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 1 | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000. |
+| 2 | TRUST\_TYPE\_UPLEVEL | The domain controller of the trusted domain is a computer running Windows 2000 or later. |
+| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). |
+| 4 | TRUST\_TYPE\_DCE | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows. |
+
+- **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. The following table contains possible values for this field:
+
+| Value | Attribute Value | Description |
+|-------|---------------------------------|-------------------------------------------------------------------------------------------------------------|
+| 0 | TRUST\_DIRECTION\_DISABLED | The trust relationship exists, but it has been disabled. |
+| 1 | TRUST\_DIRECTION\_INBOUND | The trusted domain trusts the primary domain to perform operations such as name lookups and authentication. |
+| 2 | TRUST\_DIRECTION\_OUTBOUND | The primary domain trusts the trusted domain to perform operations such as name lookups and authentication. |
+| 3 | TRUST\_DIRECTION\_BIDIRECTIONAL | Both domains trust one another for operations such as name lookups and authentication. |
+
+- **Trust Attributes** \[Type = UInt32\]**:** the decimal value of attributes for new trust. You need convert decimal value to hexadecimal and find it in the table below. The following table contains possible values for this field:
+
+| Value | Attribute Value | Description |
+|-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. |
+| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
+| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). |
+| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater. Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system. Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx). Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest. Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
+| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2. Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. Only evaluated if SID Filtering is used. Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE. Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx). Only evaluated on TRUST\_TYPE\_MIT |
+| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5. Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
+| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2. Evaluated only on Windows Server 2016 Technical Preview Evaluated only if SID Filtering is used. Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE. Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
+
+- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust:
+
+ - Enabled
+
+ - Disabled
+
+## Security Monitoring Recommendations
+
+For 4706(S): A new trust was created to a domain.
+
+- Any changes related to Active Directory domain trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4707.md b/windows/keep-secure/event-4707.md
new file mode 100644
index 0000000000..9a77188b80
--- /dev/null
+++ b/windows/keep-secure/event-4707.md
@@ -0,0 +1,104 @@
+---
+title: 4707(S) A trust to a domain was removed. (Windows 10)
+description: Describes security event 4707(S) A trust to a domain was removed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4707(S): A trust to a domain was removed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when a domain trust was removed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4707
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049754
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ FABRIKAM
+ S-1-5-21-2226861337-2836268956-2433141405
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3e99d6
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove domain trust” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove domain trust” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Domain Information:**
+
+- **Domain Name** \[Type = UnicodeString\]**:** the name of removed trusted domain.
+
+- **Domain ID** \[Type = SID\]**:** SID of removed trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+## Security Monitoring Recommendations
+
+For 4707(S): A trust to a domain was removed.
+
+- Any changes related to Active Directory domain trusts (especially trust removal) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4713.md b/windows/keep-secure/event-4713.md
new file mode 100644
index 0000000000..f87013f4a6
--- /dev/null
+++ b/windows/keep-secure/event-4713.md
@@ -0,0 +1,111 @@
+---
+title: 4713(S) Kerberos policy was changed. (Windows 10)
+description: Describes security event 4713(S) Kerberos policy was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4713(S): Kerberos policy was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when [Kerberos policy](https://technet.microsoft.com/en-us/library/cc782061(v=ws.10).aspx) was changed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4713
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049772
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ KerMaxT: 0x10c388d000 (0x861c46800); KerMaxR: 0x19254d38000 (0xc92a69c000);
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to Kerberos policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to Kerberos policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Changes Made** \[Type = UnicodeString\]**:** '--' means no changes, otherwise each change is shown as: Parameter\_Name: new\_value (old\_value). Here is a list of possible parameter names:
+
+| Parameter Name | Description |
+|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| KerProxy | 1. Maximum tolerance for computer clock synchronization. To convert the **KerProxy** to minutes you need to: Convert the value to decimal value. Divide value by 600000000. |
+| KerMaxR | 1. Maximum lifetime for user ticket renewal. To convert the **KerProxy** to days you need to: Convert the value to decimal value. Divide value by 864000000000. |
+| KerMaxT | 1. Maximum lifetime for user ticket. To convert the **KerMaxT** to hours you need to: Convert the value to decimal value. Divide value by 36000000000. |
+| KerMinT | 1. Maximum lifetime for service ticket. To convert the **KerMinT** to minutes you need to: Convert the value to decimal value. Divide value by 600000000. |
+| KerOpts | - Enforce user logon restrictions: 0x80 – Enabled 0x0 - Disabled |
+
+This event shows changes in “Kerberos policy”. Here is location of Kerberos policies in Group Policy management console:
+
+
+
+## Security Monitoring Recommendations
+
+For 4713(S): Kerberos policy was changed.
+
+- Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4714.md b/windows/keep-secure/event-4714.md
new file mode 100644
index 0000000000..0531957676
--- /dev/null
+++ b/windows/keep-secure/event-4714.md
@@ -0,0 +1,73 @@
+---
+title: 4714(S) Encrypted data recovery policy was changed. (Windows 10)
+description: Describes security event 4714(S) Encrypted data recovery policy was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4714(S): Encrypted data recovery policy was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](https://technet.microsoft.com/en-us/library/cc700811.aspx)) has changed.
+
+This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](https://technet.microsoft.com/en-us/library/cc778208(v=ws.10).aspx) was changed for the computer or device.
+
+In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](https://msdn.microsoft.com/en-us/library/cc232284.aspx) registry value is changed during a Group Policy update.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4714
+ 0
+ 0
+ 13573
+ 0
+ 0x8020000000000000
+
+ 1080883
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 13
+ SubjectUserSid
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 4714(S): Encrypted data recovery policy was changed.
+
+- We recommend monitoring this event and if the change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4715.md b/windows/keep-secure/event-4715.md
new file mode 100644
index 0000000000..d0e5dd0ef3
--- /dev/null
+++ b/windows/keep-secure/event-4715.md
@@ -0,0 +1,216 @@
+---
+title: 4715(S) The audit policy (SACL) on an object was changed. (Windows 10)
+description: Describes security event 4715(S) The audit policy (SACL) on an object was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4715(S): The audit policy (SACL) on an object was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local audit policy security descriptor changes.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4715
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049425
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x11ae30
+ D:(A;;DCSWRPDTRC;;;BA)(D;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL
+ D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change local audit policy security descriptor (SACL)” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change local audit policy security descriptor (SACL)” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Audit Policy Change:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the audit policy.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: , .
+
+## Security Monitoring Recommendations
+
+For 4715(S): The audit policy (SACL) on an object was changed.
+
+- Monitor for all events of this type, especially on high value assets or computers, because any change of the local audit policy security descriptor should be planned. If this action was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4716.md b/windows/keep-secure/event-4716.md
new file mode 100644
index 0000000000..373d14519b
--- /dev/null
+++ b/windows/keep-secure/event-4716.md
@@ -0,0 +1,151 @@
+---
+title: 4716(S) Trusted domain information was modified. (Windows 10)
+description: Describes security event 4716(S) Trusted domain information was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4716(S): Trusted domain information was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when the trust was modified.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4716
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049763
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x138eb0
+ -
+ S-1-5-21-2226861337-2836268956-2433141405
+ 2
+ 3
+ 32
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify domain trust settings” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify domain trust settings” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Trusted Domain:**
+
+- **Domain Name** \[Type = UnicodeString\]**:** the name of changed trusted domain. If this attribute was not changed, then it will have “**-**“ value.
+
+- **Domain ID** \[Type = SID\]**:** SID of changed trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+**New Trust Information:**
+
+- **Trust Type** \[Type = UInt32\]**:** the type of new trust. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field:
+
+| Value | Attribute Value | Description |
+|-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 1 | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000. |
+| 2 | TRUST\_TYPE\_UPLEVEL | The domain controller of the trusted domain is a computer running Windows 2000 or later. |
+| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). |
+| 4 | TRUST\_TYPE\_DCE | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows. |
+
+- **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field:
+
+| Value | Attribute Value | Description |
+|-------|---------------------------------|-------------------------------------------------------------------------------------------------------------|
+| 0 | TRUST\_DIRECTION\_DISABLED | The trust relationship exists, but it has been disabled. |
+| 1 | TRUST\_DIRECTION\_INBOUND | The trusted domain trusts the primary domain to perform operations such as name lookups and authentication. |
+| 2 | TRUST\_DIRECTION\_OUTBOUND | The primary domain trusts the trusted domain to perform operations such as name lookups and authentication. |
+| 3 | TRUST\_DIRECTION\_BIDIRECTIONAL | Both domains trust one another for operations such as name lookups and authentication. |
+
+- **Trust Attributes** \[Type = UInt32\]**:** the decimal value of attributes for new trust. You need convert decimal value to hexadecimal and find it in the table below. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field:
+
+| Value | Attribute Value | Description |
+|-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. |
+| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
+| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). |
+| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater. Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system. Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx). Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest. Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
+| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2. Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. Only evaluated if SID Filtering is used. Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE. Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx). Only evaluated on TRUST\_TYPE\_MIT |
+| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5. Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
+| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2. Evaluated only on Windows Server 2016 Technical Preview Evaluated only if SID Filtering is used. Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE. Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
+
+- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust:
+
+ - Enabled
+
+ - Disabled
+
+ If this attribute was not changed, then it will have “**-**“ value or its old value.
+
+## Security Monitoring Recommendations
+
+For 4716(S): Trusted domain information was modified.
+
+- Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4717.md b/windows/keep-secure/event-4717.md
new file mode 100644
index 0000000000..dbe74fada2
--- /dev/null
+++ b/windows/keep-secure/event-4717.md
@@ -0,0 +1,130 @@
+---
+title: 4717(S) System security access was granted to an account. (Windows 10)
+description: Describes security event 4717(S) System security access was granted to an account.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4717(S): System security access was granted to an account.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was granted to an account.
+
+You will see unique event for every user if logon user rights were granted to multiple accounts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4717
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049777
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ SeInteractiveLogonRight
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to local logon right user policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local logon right user policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Account Modified:**
+
+- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+**Access Granted: **
+
+- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx), which are as follows:
+
+| Value | Group Policy Name |
+|-----------------------------------|-----------------------------------------------|
+| SeNetworkLogonRight | Access this computer from the network |
+| SeRemoteInteractiveLogonRight | Allow logon through Terminal Services |
+| SeDenyNetworkLogonRight | Deny access to this computer from the network |
+| SeDenyBatchLogonRight | Deny logon as a batch job |
+| SeDenyServiceLogonRight | Deny logon as a service |
+| SeDenyInteractiveLogonRight | Deny logon locally |
+| SeDenyRemoteInteractiveLogonRight | Deny logon through Terminal Services |
+| SeBatchLogonRight | Log on as a batch job |
+| SeServiceLogonRight | Log on as a service |
+| SeInteractiveLogonRight | Log on locally |
+
+## Security Monitoring Recommendations
+
+For 4717(S): System security access was granted to an account.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. If you have specific user logon rights policies, for example, a whitelist of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected. For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account. For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. |
+| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**). | Monitor this event and compare the **“Access Right”** to your list of restricted rights. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
diff --git a/windows/keep-secure/event-4718.md b/windows/keep-secure/event-4718.md
new file mode 100644
index 0000000000..44f5fc4624
--- /dev/null
+++ b/windows/keep-secure/event-4718.md
@@ -0,0 +1,130 @@
+---
+title: 4718(S) System security access was removed from an account. (Windows 10)
+description: Describes security event 4718(S) System security access was removed from an account.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4718(S): System security access was removed from an account.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was removed from an account.
+
+You will see unique event for every user if logon user rights were removed for multiple accounts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4718
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049773
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ SeInteractiveLogonRight
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to local logon right user policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local logon right user policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Account Modified:**
+
+- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+**Access Removed: **
+
+- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx), which are as follows:
+
+| Value | Group Policy Name |
+|-----------------------------------|-----------------------------------------------|
+| SeNetworkLogonRight | Access this computer from the network |
+| SeRemoteInteractiveLogonRight | Allow logon through Terminal Services |
+| SeDenyNetworkLogonRight | Deny access to this computer from the network |
+| SeDenyBatchLogonRight | Deny logon as a batch job |
+| SeDenyServiceLogonRight | Deny logon as a service |
+| SeDenyInteractiveLogonRight | Deny logon locally |
+| SeDenyRemoteInteractiveLogonRight | Deny logon through Terminal Services |
+| SeBatchLogonRight | Log on as a batch job |
+| SeServiceLogonRight | Log on as a service |
+| SeInteractiveLogonRight | Log on locally |
+
+## Security Monitoring Recommendations
+
+For 4718(S): System security access was removed from an account.
+
+| **Type of monitoring required** | **Recommendation** |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. If you have specific user logon rights policies, for example, a whitelist of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected. For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights. As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account. For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. |
+| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**). **“Deny” rights that should not be removed**: Your organization might use “Deny” rights that should not be removed, for example, SeDenyRemoteInteractiveLogonRight. | - Monitor this event and compare the **“Access Right”** to your list of restricted rights. Monitor this event to discover the removal of a right that should never have been granted, so that you can investigate further. You can also monitor this event to discover the removal of “Deny” rights. When these rights are removed, it could be an approved action, done by mistake, or part of malicious activity. These rights include: SeDenyNetworkLogonRight: SeDenyBatchLogonRight SeDenyServiceLogonRight SeDenyInteractiveLogonRight SeDenyRemoteInteractiveLogonRight |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
diff --git a/windows/keep-secure/event-4719.md b/windows/keep-secure/event-4719.md
new file mode 100644
index 0000000000..7a274992c8
--- /dev/null
+++ b/windows/keep-secure/event-4719.md
@@ -0,0 +1,163 @@
+---
+title: 4719(S) System audit policy was changed. (Windows 10)
+description: Describes security event 4719(S) System audit policy was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4719(S): System audit policy was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the computer's audit policy changes.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4719
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049418
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ %%8274
+ %%12807
+ {0CCE9223-69AE-11D9-BED3-505054503030}
+ %%8448, %%8450
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to local audit policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local audit policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Audit Policy Change:**
+
+- **Category:** the name of auditing Category which subcategory was changed. Possible values:
+
+ - Account Logon
+
+ - Account Management
+
+ - Detailed Tracking
+
+ - DS Access
+
+ - Logon/Logoff
+
+ - Object Access
+
+ - Policy Change
+
+ - Privilege Use
+
+ - System
+
+- **Subcategory:** the name of auditing Subcategory which was changed. Possible values:
+
+| Credential Validation | Process Termination | Network Policy Server |
+|------------------------------------|----------------------------------------|--------------------------------|
+| Kerberos Authentication Service | RPC Events | Other Logon/Logoff Events |
+| Kerberos Service Ticket Operations | Detailed Directory Service Replication | Special Logon |
+| Other Logon/Logoff Events | Directory Service Access | Application Generated |
+| Application Group Management | Directory Service Changes | Certification Services |
+| Computer Account Management | Directory Service Replication | Detailed File Share |
+| Distribution Group Management | Account Lockout | File Share |
+| Other Account Management Events | IPsec Extended Mode | File System |
+| Security Group Management | IPsec Main Mode | Filtering Platform Connection |
+| User Account Management | IPsec Quick Mode | Filtering Platform Packet Drop |
+| DPAPI Activity | Logoff | Handle Manipulation |
+| Process Creation | Logon | Kernel Object |
+| Other Object Access Events | Filtering Platform Policy Change | IPsec Driver |
+| Registry | MPSSVC Rule-Level Policy Change | Other System Events |
+| SAM | Other Policy Change Events | Security State Change |
+| Policy Change | Non-Sensitive Privilege Use | Security System Extension |
+| Authentication Policy Change | Sensitive Privilege Use | System Integrity |
+| Authorization Policy Change | Other Privilege Use Events | Plug and Play Events |
+| Group Membership | | |
+
+- **Subcategory GUID:** the unique subcategory GUID. To see Subcategory GUIDs you can use this command: **auditpol /list /subcategory:\* /v**.
+
+
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Changes:** changes which were made for **“Subcategory”**. Possible values:
+
+ - Success removed
+
+ - Failure removed
+
+ - Success added
+
+ - Failure added
+
+ It can be also a combination of any of the items above, separated by coma.
+
+## Security Monitoring Recommendations
+
+For 4719(S): System audit policy was changed.
+
+- Monitor for all events of this type, especially on high value assets or computers, because any change in local audit policy should be planned. If this action was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4720.md b/windows/keep-secure/event-4720.md
new file mode 100644
index 0000000000..157b9b01a3
--- /dev/null
+++ b/windows/keep-secure/event-4720.md
@@ -0,0 +1,288 @@
+---
+title: 4720(S) A user account was created. (Windows 10)
+description: Describes security event 4720(S) A user account was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4720(S): A user account was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a new user object is created.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4720
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175408
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ ksmith
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6609
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30dc2
+ -
+ ksmith
+ Ken Smith
+ ksmith@contoso.local
+ -
+ -
+ -
+ -
+ -
+ %%1794
+ %%1794
+ 513
+ -
+ 0x0
+ 0x15
+ %%2080 %%2082 %%2084
+ -
+ -
+ %%1793
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “create user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create user account” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**New Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of created user account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the user account that was created. For example: dadmin.
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain name of created user account. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local accounts, this field will contain the name of the computer to which this new account belongs, for example: “Win81”.
+
+**Attributes:**
+
+- **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new user object. For example: ksmith. For local account this field contains the name of new user account.
+
+- **Display Name** \[Type = UnicodeString\]: the value of **displayName** attribute of new user object. It is a name displayed in the address book for a particular account .This is usually the combination of the user's first name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. Local accounts contain **Full Name** attribute in this field, but for new local accounts this field typically has value “**<value not set>**”.
+
+- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of **userPrincipalName** attribute of new user object. For example, ksmith@contoso.local. For local users this field is not applicable and has value “**-**“. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. This parameter contains the value of **homeDirectory** attribute of new user object. For new local accounts this field typically has value “**<value not set>**”. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form “DRIVE\_LETTER:”. For example – “H:”. This parameter contains the value of **homeDrive** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
+
+- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account’s logon script. This parameter contains the value of **scriptPath** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
+
+- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of **profilePath** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
+
+- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a user object. This parameter contains the value of **userWorkstations** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For local users this field is not applicable and typically has value “**<value not set>**”.
+
+- **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. For manually created user account, using Active Directory Users and Computers snap-in, this field typically has value “**<never>”**. This parameter contains the value of **pwdLastSet** attribute of new user object.
+
+- **Account Expires** \[Type = UnicodeString\]: the date when the account expires. This parameter contains the value of **accountExpires** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For manually created local and domain user accounts this field typically has value “**<never>**”.
+
+- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of user’s object primary group.
+
+> **Note** **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
+
+Typically, **Primary Group** field for new user accounts has the following values:
+
+- 513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
+
+ See this article for more information. This parameter contains the value of **primaryGroupID** attribute of new user object.
+
+
+
+- **Allowed To Delegate To** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of user account, if this account has at least one SPN registered. This parameter contains the value of **AllowedToDelegateTo** attribute of new user object. For local user accounts this field is not applicable and typically has value “**-**“. For new domain user accounts it is typically has value “**-**“. See description of **AllowedToDelegateTo** field for “[4738](event-4738.md)(S): A user account was changed.” event for more details.
+
+> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
+
+- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. **Old UAC value** always **“0x0”** for new user accounts. This parameter contains the previous value of **userAccountControl** attribute of user object.
+
+- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of **userAccountControl** attribute of new user object.
+
+To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
+
+Here's an example: Flags value from event: 0x15
+
+Decoding:
+
+• PASSWD\_NOTREQD 0x0020
+
+• LOCKOUT 0x0010
+
+• HOMEDIR\_REQUIRED 0x0008
+
+• (undeclared) 0x0004
+
+• ACCOUNTDISABLE 0x0002
+
+• SCRIPT 0x0001
+
+0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
+
+0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
+
+0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
+
+0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
+
+0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
+
+So this UAC flags value decodes to: LOCKOUT and SCRIPT
+
+- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4720 event.
+
+| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
+|------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
+| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4720 events. |
+| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled Account Enabled |
+| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. |
+| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled 'Home Directory Required' - Disabled |
+| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. |
+| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled 'Password Not Required' - Disabled |
+| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. |
+| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password. Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled 'Encrypted Text Password Allowed' - Enabled |
+| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
+| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled 'Normal Account' - Enabled |
+| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
+| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled 'Workstation Trust Account' - Enabled |
+| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled 'Server Trust Account' - Disabled |
+| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account. Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled 'Don't Expire Password' - Enabled |
+| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled 'MNS Logon Account' - Enabled |
+| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled 'Smartcard Required' - Enabled |
+| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account. If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled 'Trusted For Delegation' - Disabled |
+| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation. Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled 'Not Delegated' - Enabled |
+| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled 'Use DES Key Only' - Enabled |
+| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on. Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled 'Don't Require Preauth' - Enabled |
+| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. |
+| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network. If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled 'Trusted To Authenticate For Delegation' - Enabled |
+| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
+
+For new, manually created, domain or local user accounts typical flags are:
+
+- Account Disabled
+
+- 'Password Not Required' - Enabled
+
+- 'Normal Account' – Enabled
+
+ After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags:
+
+- 'Password Not Required' – Disabled
+
+- Account Enabled
+
+
+
+- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
+
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new user object. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will typically see “**<value not set>**” value for new manually created user accounts in event 4720. For new local accounts this field is not applicable and typically has value “**All**”.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4720(S): A user account was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Some organizations monitor every [4720](event-4720.md) event.
+
+- Consider whether to track the following fields and values:
+
+| **Field and value to track** | **Reason to track** |
+|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **SAM Account Name** is empty or - | This field must contain the user account name. If it is empty or **-**, it might indicate an anomaly. |
+| **User Principal Name** is empty or - | Typically this field should not be empty for new user accounts. If it is empty or **-**, it might indicate an anomaly. |
+| **Home Directory** is not - **Home Drive** is not - **Script Path** is not - **Profile Path** is not - **User Workstations** is not - | Typically these fields are **-** for new user accounts. Other values might indicate an anomaly and should be monitored. For local accounts these fields should display **<value not set>**. |
+| **Password Last Set** is **<never>** | This typically means this is a manually created user account, which you might need to monitor. |
+| **Password Last Set** is a time in the future | This might indicate an anomaly. |
+| **Account Expires** is not **<never>** | Typically this field is **<never>** for new user accounts. Other values might indicate an anomaly and should be monitored. |
+| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. |
+| **Allowed To Delegate To** is not - | Typically this field is **-** for new user accounts. Other values might indicate an anomaly and should be monitored. |
+| **Old UAC Value** is not 0x0 | Typically this field is **0x0** for new user accounts. Other values might indicate an anomaly and should be monitored. |
+| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
+| **Logon Hours** value other than **<value not set>** or** “All”** | This should always be **<value not set>** for new domain user accounts, and **“All”** for new local user accounts. |
+
+- Consider whether to track the following user account control flags:
+
+| **User account control flag to track** | **Information about the flag** |
+|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **'Normal Account'** – Disabled | Should not be disabled for user accounts. |
+| **'Encrypted Text Password Allowed'** – Enabled **'Smartcard Required'** – Enabled **'Not Delegated'** – Enabled **'Use DES Key Only'** – Enabled **'Don't Require Preauth'** – Enabled **'Trusted To Authenticate For Delegation'** – Enabled | By default, these flags should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. |
+| **'Server Trust Account'** – Enabled | Should never be enabled for user accounts. Applies only to domain controller (computer) accounts. |
+| **'Don't Expire Password'** – Enabled | Should be monitored for critical accounts, or all accounts if your organization does not allow this flag. By default, this flag should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. |
+| **'Trusted For Delegation'** – Enabled | By default, this flag should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. It is enabled by default only for new domain controllers. |
+
diff --git a/windows/keep-secure/event-4722.md b/windows/keep-secure/event-4722.md
new file mode 100644
index 0000000000..6c96fd0b4a
--- /dev/null
+++ b/windows/keep-secure/event-4722.md
@@ -0,0 +1,123 @@
+---
+title: 4722(S) A user account was enabled. (Windows 10)
+description: Describes security event 4722(S) A user account was enabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4722(S): A user account was enabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user or computer object is enabled.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4722
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175716
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Auditor
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d5f
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable account” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was enabled. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was enabled.
+
+- **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+## Security Monitoring Recommendations
+
+For 4722(S): A user account was enabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a high-value domain or local account for which you need to monitor every change, monitor all [4722](event-4722.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- If you have domain or local accounts that should never be enabled, you can monitor all [4722](event-4722.md) events with the “**Target Account\\Security ID”** fields that correspond to the accounts.
+
+- We recommend monitoring all [4722](event-4722.md) events for local accounts, because these accounts usually do not change often. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+
diff --git a/windows/keep-secure/event-4723.md b/windows/keep-secure/event-4723.md
new file mode 100644
index 0000000000..8c23919260
--- /dev/null
+++ b/windows/keep-secure/event-4723.md
@@ -0,0 +1,134 @@
+---
+title: 4723(S, F) An attempt was made to change an account's password. (Windows 10)
+description: Describes security event 4723(S, F) An attempt was made to change an account's password.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4723(S, F): An attempt was made to change an account's password.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user attempts to change his or her password.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For domain accounts, a Failure event generates if new password fails to meet the password policy.
+
+For local accounts, a Failure event generates if new password fails to meet the password policy or old password is wrong.
+
+For domain accounts if old password was wrong, then “[4771](event-4771.md): Kerberos pre-authentication failed” or “[4776](event-4776.md): The computer attempted to validate the credentials for an account” will be generated on domain controller if specific subcategories were enabled on it.
+
+Typically you will see 4723 events with the same **Subject\\Security ID** and **Target Account\\Security ID** fields, which is normal behavior.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4723
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175722
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ dadmin
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x1a9b76
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to change Target’s Account password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to change Target’s Account password.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:** account for which the password change was requested.
+
+- **Security ID** \[Type = SID\]**:** SID of account for which the password change was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which the password change was requested.
+
+- **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4723(S, F): An attempt was made to change an account's password.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a high-value domain or local user account for which you need to monitor every password change attempt, monitor all [4723](event-4723.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- If you have a high-value domain or local account for which you need to monitor every change, monitor all [4723](event-4723.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- If you have domain or local accounts for which the password should never be changed, you can monitor all [4723](event-4723.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
diff --git a/windows/keep-secure/event-4724.md b/windows/keep-secure/event-4724.md
new file mode 100644
index 0000000000..977955100e
--- /dev/null
+++ b/windows/keep-secure/event-4724.md
@@ -0,0 +1,131 @@
+---
+title: 4724(S, F) An attempt was made to reset an account's password. (Windows 10)
+description: Describes security event 4724(S, F) An attempt was made to reset an account's password.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4724(S, F): An attempt was made to reset an account's password.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time an account attempted to reset the password for another account.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For domain accounts, a Failure event generates if the new password fails to meet the password policy.
+
+A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.
+
+This event also generates if a computer account reset procedure was performed.
+
+For local accounts, a Failure event generates if the new password fails to meet the local password policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4724
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175740
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ User1
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-1107
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d5f
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to reset Target’s Account password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to reset Target’s Account password.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:** account for which password reset was requested.
+
+- **Security ID** \[Type = SID\]**:** SID of account for which password reset was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which password reset was requested.
+
+- **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+## Security Monitoring Recommendations
+
+For 4724(S, F): An attempt was made to reset an account's password.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a high-value domain or local user account for which you need to monitor every password reset attempt, monitor all [4724](event-4724.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- If you have a high-value domain or local account for which you need to monitor every change, monitor all [4724](event-4724.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- If you have domain or local accounts for which the password should never be reset, you can monitor all [4724](event-4724.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- We recommend monitoring all [4724](event-4724.md) events for local accounts, because their passwords usually do not change often. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+
diff --git a/windows/keep-secure/event-4725.md b/windows/keep-secure/event-4725.md
new file mode 100644
index 0000000000..7dacfe0813
--- /dev/null
+++ b/windows/keep-secure/event-4725.md
@@ -0,0 +1,123 @@
+---
+title: 4725(S) A user account was disabled. (Windows 10)
+description: Describes security event 4725(S) A user account was disabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4725(S): A user account was disabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user or computer object is disabled.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4725
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175714
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Auditor
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d5f
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “disable account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “disable account” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was disabled. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was disabled.
+
+- **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+## Security Monitoring Recommendations
+
+For 4725(S): A user account was disabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a high-value domain or local account for which you need to monitor every change, monitor all [4725](event-4725.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- If you have domain or local accounts that should never be disabled (for example, service accounts), you can monitor all [4725](event-4725.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- We recommend monitoring all [4725](event-4725.md) events for local accounts, because these accounts usually do not change often. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+
diff --git a/windows/keep-secure/event-4726.md b/windows/keep-secure/event-4726.md
new file mode 100644
index 0000000000..ab110e118d
--- /dev/null
+++ b/windows/keep-secure/event-4726.md
@@ -0,0 +1,126 @@
+---
+title: 4726(S) A user account was deleted. (Windows 10)
+description: Describes security event 4726(S) A user account was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4726(S): A user account was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user object was deleted.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4726
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175720
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ ksmith
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6609
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d5f
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete user account” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was deleted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was deleted.
+
+- **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4726(S): A user account was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a high-value domain or local account for which you need to monitor every change (or deletion), monitor all [4726](event-4726.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- If you have a domain or local account that should never be deleted (for example, service accounts), monitor all [4726](event-4726.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
+
+- We recommend monitoring all [4726](event-4726.md) events for local accounts, because these accounts typically are not deleted often. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+
diff --git a/windows/keep-secure/event-4731.md b/windows/keep-secure/event-4731.md
new file mode 100644
index 0000000000..0f6116aca5
--- /dev/null
+++ b/windows/keep-secure/event-4731.md
@@ -0,0 +1,134 @@
+---
+title: 4731(S) A security-enabled local group was created. (Windows 10)
+description: Describes security event 4731(S) A security-enabled local group was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4731(S): A security-enabled local group was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new security-enabled (security) local group was created.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4731
+ 0
+ 0
+ 13826
+ 0
+ 0x8020000000000000
+
+ 174849
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ AccountOperators
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6605
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3031e
+ -
+ AccountOperators
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “create group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**New Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of created group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group that was created. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]: domain or computer name of the created group. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
+
+**Attributes:**
+
+- **SAM Account Name** \[Type = UnicodeString\]: This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new group object. For example: ServiceDesk. For local groups it is simply a name of new group.
+
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new group object. This parameter might not be captured in the event, and in that case appears as “-”. For local groups it is not applicable and always has “**-**“ value.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4731(S): A security-enabled local group was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor each time a new security group is created, to see who created the group and when, monitor this event.
+
+- If you need to monitor the creation of local security groups on different servers, and you use Windows Event Forwarding to collect events in a central location, check “**New Group\\Group Domain.**” It should not be the name of the domain, but instead should be the computer name.
+
+- If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
+
diff --git a/windows/keep-secure/event-4732.md b/windows/keep-secure/event-4732.md
new file mode 100644
index 0000000000..f688280574
--- /dev/null
+++ b/windows/keep-secure/event-4732.md
@@ -0,0 +1,158 @@
+---
+title: 4732(S) A member was added to a security-enabled local group. (Windows 10)
+description: Describes security event 4732(S) A member was added to a security-enabled local group.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4732(S): A member was added to a security-enabled local group.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new member was added to a security-enabled (security) local group.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For every added member you will get separate 4732 event.
+
+You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4732 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4732
+ 0
+ 0
+ 13826
+ 0
+ 0x8020000000000000
+
+ 174856
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CN=eadmin,CN=Users,DC=contoso,DC=local
+ S-1-5-21-3457937927-2839227994-823803824-500
+ AccountOperators
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6605
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3031e
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “add member to the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add member to the group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Member:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if new member is a domain account. For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of the group to which new member was added. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group to which new member was added. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]: domain or computer name of the group to which the new member was added. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4732(S): A member was added to a security-enabled local group.
+
+| **Type of monitoring required** | **Recommendation** |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Addition of members to local or domain security groups:** You might need to monitor the addition of members to local or domain security groups. | If you need to monitor each time a member is added to a local or domain security group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed. |
+| **High-value local or domain security groups:** You might have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for the addition of new members (or for other changes). Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value local or domain security groups. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+| **Mismatch between type of account (user or computer) and the group it was added to**: You might want to monitor to ensure that a computer account was not added to a group intended for users, or a user account was not added to a group intended for computers. | Monitor the type of account added to the group to see if it matches what the group is intended for. |
+
diff --git a/windows/keep-secure/event-4733.md b/windows/keep-secure/event-4733.md
new file mode 100644
index 0000000000..b2de4567ac
--- /dev/null
+++ b/windows/keep-secure/event-4733.md
@@ -0,0 +1,164 @@
+---
+title: 4733(S) A member was removed from a security-enabled local group. (Windows 10)
+description: Describes security event 4733(S) A member was removed from a security-enabled local group.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4733(S): A member was removed from a security-enabled local group.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time member was removed from security-enabled (security) local group.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For every removed member you will get separate 4733 event.
+
+You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4733 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4733
+ 0
+ 0
+ 13826
+ 0
+ 0x8020000000000000
+
+ 175037
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CN=Auditor,CN=Users,DC=contoso,DC=local
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ AccountOperators
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6605
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x35e38
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove member from the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove member from the group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Member:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was removed from the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if removed member is a domain account. For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of the group from which the member was removed. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group from which the member was removed. For example: ServiceDesk
+
+
+
+- **Group Domain** \[Type = UnicodeString\]: domain or computer name of the group from which the member was removed. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+
+
+ - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
+
+
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4733(S): A member was removed from a security-enabled local group.
+
+| **Type of monitoring required** | **Recommendation** |
+|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Removal of members from local or domain security groups:** You might need to monitor the removal of members from local or domain security groups. | If you need to monitor each time a member is removed from a local or domain security group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed. |
+| **High-value local or domain security groups:** You might have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for the removal of members (or for other changes). Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value local or domain security groups. |
+| **Local or domain security groups with required members**: You might need to ensure that for certain local or domain security groups, particular members are never removed. | Monitor this event with the “**Group\\Group Name”** that corresponds to the group of interest, and the **“Member\\Security ID”** of the members who should not be removed. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
diff --git a/windows/keep-secure/event-4734.md b/windows/keep-secure/event-4734.md
new file mode 100644
index 0000000000..023be2969c
--- /dev/null
+++ b/windows/keep-secure/event-4734.md
@@ -0,0 +1,126 @@
+---
+title: 4734(S) A security-enabled local group was deleted. (Windows 10)
+description: Describes security event 4734(S) A security-enabled local group was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4734(S): A security-enabled local group was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-enabled (security) local group is deleted.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4734
+ 0
+ 0
+ 13826
+ 0
+ 0x8020000000000000
+
+ 175039
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ AccountOperators
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6605
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x35e38
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of deleted group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group that was deleted. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]: domain or computer name of the deleted group. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4734(S): A security-enabled local group was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “**Group\\Group Name”** values that correspond to the critical local or domain security groups. Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on.
+
+- If you need to monitor each time a local or domain security group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
diff --git a/windows/keep-secure/event-4735.md b/windows/keep-secure/event-4735.md
new file mode 100644
index 0000000000..b6dac600b9
--- /dev/null
+++ b/windows/keep-secure/event-4735.md
@@ -0,0 +1,152 @@
+---
+title: 4735(S) A security-enabled local group was changed. (Windows 10)
+description: Describes security event 4735(S) A security-enabled local group was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4735(S): A security-enabled local group was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a security-enabled (security) local group is changed.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in group account properties.
+
+If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
+
+If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
+
+From 4735 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4735
+ 0
+ 0
+ 13826
+ 0
+ 0x8020000000000000
+
+ 174850
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ AccountOperators\_NEW
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6605
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3031e
+ -
+ AccountOperators\_NEW
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of changed group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** Sometimes you can see the **Group\\Security ID** field contains an old group name in Event Viewer (as you can see in the event example). That happens because Event Viewer caches names for SIDs that it has already resolved for the current session.
+
+> **Note** **Security ID** field has the same value as new group name (**Changed Attributes>SAM Account Name**). That is happens because event is generated after name was changed and SID resolves to the new name. It is always better to use SID instead of group names for queries or filtering of events, because you will know for sure that this the right object you are looking for or want to monitor.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group that was changed. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]: domain or computer name of the changed group. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Changed Attributes:**
+
+> **Note** If attribute was not changed it will have “-“ value.
+
+You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4735 event will generate, but all attributes will be “-“.
+
+- **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
+
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of group object was changed, you will see the new value here. For local groups it is not applicable and always has “**-**“ value.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4735(S): A security-enabled local group was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for any change, monitor events with the “**Group\\Group Name”** values that correspond to the critical local or domain security groups.
+
+- If you need to monitor each time a member is added to a local or domain security group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
+- If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
+
diff --git a/windows/keep-secure/event-4738.md b/windows/keep-secure/event-4738.md
new file mode 100644
index 0000000000..98f22cb17c
--- /dev/null
+++ b/windows/keep-secure/event-4738.md
@@ -0,0 +1,291 @@
+---
+title: 4738(S) A user account was changed. (Windows 10)
+description: Describes security event 4738(S) A user account was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4738(S): A user account was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user object is changed.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For each change, a separate 4738 event will be generated.
+
+You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
+
+Some changes do not invoke a 4738 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4738
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175413
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ -
+ ksmith
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6609
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30dc2
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 0x15
+ 0x211
+ %%2050 %%2089
+ -
+ -
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change user account” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was changed.
+
+- **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+**Changed Attributes:**
+
+If attribute was not changed it will have “–“ value.
+
+Unfortunately, for local accounts, all fields, except changed attributes, will have previous values populated. Also, the User Account Control field will have values only if it was modified. Changed attributes will have new values, but it is hard to understand which attribute was really changed.
+
+- **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of user object was changed, you will see the new value here. For example: ladmin. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
+
+- **Display Name** \[Type = UnicodeString\]: it is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. If the value of **displayName** attribute of user object was changed, you will see the new value here. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
+
+- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. If the value of **userPrincipalName** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field is not applicable and always has “-“ value.
+
+- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. If the value of **homeDirectory** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
+
+- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form “DRIVE\_LETTER:”. For example – “H:”. If the value of **homeDrive** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
+
+- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account’s logon script. If the value of **scriptPath** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
+
+- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. If the value of **profilePath** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
+
+- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. If the value of **userWorkstations** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field is not applicable and always appears as “**<value not set>**.“
+
+- **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. If the value of **pwdLastSet** attribute of user object was changed, you will see the new value here. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual user account password reset. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
+
+- **Account Expires** \[Type = UnicodeString\]: the date when the account expires. If the value of **accountExpires** attribute of user object was changed, you will see the new value here. . For example, “9/21/2015 12:00:00 AM”. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
+
+- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of user’s object primary group.
+
+> **Note** **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
+
+This field will contain some value if user’s object primary group was changed. You can change user’s primary group using Active Directory Users and Computers management console in the **Member Of** tab of user object properties. You will see a RID of new primary group as a field value. For example, RID 513 (Domain Users) is a default primary group for users.
+
+Typical **Primary Group** values for user accounts:
+
+- 513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
+
+ See this article for more information. If the value of **primaryGroupID** attribute of user object was changed, you will see the new value here.
+
+
+
+- **AllowedToDelegateTo** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of user account, if at least one SPN is registered for user account. If the SPNs list on **Delegation** tab of a user account was changed, you will see the new SPNs list in **AllowedToDelegateTo** field (note that you will see the new list instead of changes) of this event. This is an example of **AllowedToDelegateTo**:
+
+ - dcom/WIN2012
+
+ - dcom/WIN2012.contoso.local
+
+ If the value of **msDS-AllowedToDelegateTo** attribute of user object was changed, you will see the new value here.
+
+ The value can be “**<value not set>**”, for example, if delegation was disabled.
+
+ For local accounts, this field is not applicable and always has “-“ value.
+
+> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
+
+- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object.
+
+- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here.
+
+To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
+
+Here's an example: Flags value from event: 0x15
+
+Decoding:
+
+• PASSWD\_NOTREQD 0x0020
+
+• LOCKOUT 0x0010
+
+• HOMEDIR\_REQUIRED 0x0008
+
+• (undeclared) 0x0004
+
+• ACCOUNTDISABLE 0x0002
+
+• SCRIPT 0x0001
+
+0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
+
+0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
+
+0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
+
+0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
+
+0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
+
+So this UAC flags value decodes to: LOCKOUT and SCRIPT
+
+- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account UAC flags.”. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
+
+- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field. For local accounts, this field is not applicable and always has “<value not set>“ value.
+
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of user object was changed, you will see the new value here.
+
+- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. If the value of **logonHours** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. Here is an example of this field:
+
+ Sunday 12:00 AM - 7:00 PM
+
+ Sunday 9:00 PM -Monday 1:00 PM
+
+ Monday 2:00 PM -Tuesday 6:00 PM
+
+ Tuesday 8:00 PM -Wednesday 10:00 AM
+
+ For local accounts this field is not applicable and typically has value “**All**”.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4738(S): A user account was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Some organizations monitor every [4738](event-4738.md) event.
+
+- If you have critical user computer accounts (for example, domain administrator accounts or service accounts) for which you need to monitor each change, monitor this event with the **“Target Account\\Account Name”** that corresponds to the critical account or accounts.
+
+- If you have user accounts for which any change in the services list on the **Delegation** tab should be monitored, monitor this event when **AllowedToDelegateTo** is not -. This value means the services list was changed.
+
+- Consider whether to track the following fields:
+
+| **Field to track** | **Reason to track** |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Display Name** **User Principal Name** **Home Directory** **Home Drive** **Script Path** **Profile Path** **User Workstations** **Password Last Set** **Account Expires** **Primary Group ID Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. |
+| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. |
+| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
+| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
+
+- Consider whether to track the following user account control flags:
+
+| **User account control flag to track** | **Information about the flag** |
+|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **'Normal Account'** – Disabled | Should not be disabled for user accounts. |
+| **'Password Not Required'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account. |
+| **'Encrypted Text Password Allowed'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account. |
+| **'Server Trust Account'** – Enabled | Should never be enabled for user accounts. Applies only to domain controller (computer) accounts. |
+| **'Don't Expire Password'** – Enabled | Should be monitored for critical accounts, or all accounts if your organization does not allow this flag. |
+| **'Smartcard Required'** – Enabled | Should be monitored for critical accounts. |
+| **'Password Not Required'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
+| **'Encrypted Text Password Allowed'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
+| **'Don't Expire Password'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
+| **'Smartcard Required'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
+| **'Trusted For Delegation'** – Enabled | Means that Kerberos Constraint or Unconstraint delegation was enabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
+| **'Trusted For Delegation'** – Disabled | Means that Kerberos Constraint or Unconstraint delegation was disabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. Also, if you have a list of user accounts for which delegation is critical and should not be disabled, monitor this for those accounts. |
+| **'Trusted To Authenticate For Delegation'** – Enabled | Means that Protocol Transition delegation was enabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
+| **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. Also, if you have a list of user accounts for which delegation is critical and should not be disabled, monitor this for those accounts. |
+| **'Not Delegated'** – Enabled | Means that **Account is sensitive and cannot be delegated** was checked for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
+| **'Not Delegated'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” Means that **Account is sensitive and cannot be delegated** was unchecked for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
+| **'Use DES Key Only'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account’s Kerberos authentication. |
+| **'Don't Require Preauth'** – Enabled | Should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication. |
+| **'Use DES Key Only'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
+| **'Don't Require Preauth'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
+
diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md
new file mode 100644
index 0000000000..b5873a99e3
--- /dev/null
+++ b/windows/keep-secure/event-4739.md
@@ -0,0 +1,226 @@
+---
+title: 4739(S) Domain Policy was changed. (Windows 10)
+description: Describes security event 4739(S) Domain Policy was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4739(S): Domain Policy was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when one of the following changes was made to local computer security policy:
+
+- Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified.
+
+- Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified.
+
+- "Network security: Force logoff when logon hours expire" group policy setting was changed.
+
+- Domain functional level was changed or some other attributes changed (see details in event description).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4739
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049781
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Password Policy
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 13
+ -
+ -
+ -
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Change Type** \[Type = UnicodeString\]**:** the type of change which was made. The format is “**policy\_name** modified”. These are some possible values of **policy\_name**:
+
+| Value | Group Policy Name \\ Description |
+|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Lockout Policy | Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified. |
+| Password Policy | Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified. |
+| Logoff Policy | "[Network security: Force logoff when logon hours expire](https://technet.microsoft.com/en-us/library/jj852195.aspx)" group policy setting was changed. |
+| - | Machine Account Quota ([ms-DS-MachineAccountQuota](https://technet.microsoft.com/en-us/library/dd391926(v=ws.10).aspx)) domain attribute was modified. |
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to specific local policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to specific local policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Domain:**
+
+- **Domain Name** \[Type = UnicodeString\]**:** the name of domain for which policy changes were made.
+
+
+
+- **Domain ID** \[Type = SID\]**:** the SID of domain for which policy changes were made. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+**Changed Attributes:** For attributes which were not changed the value will be “**-**“.
+
+- **Min. Password Age** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Minimum password age” group policy. Numeric value.
+
+
+
+- **Max. Password Age** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Maximum password age” group policy. Numeric value.
+
+- **Force Logoff** \[Type = UnicodeString\]: “\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire” group policy.
+
+- **Lockout Threshold** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout threshold” group policy. Numeric value.
+
+- **Lockout Observation Window** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Account Lockout Policy\\Reset account lockout counter after” group policy. Numeric value.
+
+- **Lockout Duration** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout duration” group policy. Numeric value.
+
+- **Password Properties** \[Type = UnicodeString\]:
+
+| Value | Group Policy settings |
+|-------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Disabled. \\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Disabled. |
+| 1 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Disabled. \\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Enabled. |
+| 16 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Enabled. \\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Disabled. |
+| 17 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Enabled. \\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Enabled. |
+
+- **Min. Password Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Minimum password length” group policy. Numeric value.
+
+- **Password History Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Enforce password history” group policy. Numeric value.
+
+- **Machine Account Quota** \[Type = UnicodeString\]: [ms-DS-MachineAccountQuota](https://technet.microsoft.com/en-us/library/dd391926(v=ws.10).aspx) domain attribute was modified. Numeric value.
+
+- **Mixed Domain Mode** \[Type = UnicodeString\]: there is no information about this field in this document.
+
+- **Domain Behavior Version** \[Type = UnicodeString\]: [msDS-Behavior-Version](https://msdn.microsoft.com/en-us/library/cc223742.aspx) domain attribute was modified. Numeric value. Possible values:
+
+| Value | Identifier | Domain controller operating systems that are allowed in the domain |
+|-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system Windows Server 2003 operating system Windows Server 2008 operating system Windows Server 2008 R2 operating system Windows Server 2012 operating system Windows Server 2012 R2 operating system Windows Server 2016 Technical Preview operating system |
+| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Technical Preview |
+| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Technical Preview |
+| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Technical Preview |
+| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Technical Preview |
+| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Technical Preview |
+| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2 Windows Server 2016 Technical Preview |
+| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 Technical Preview |
+
+- **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
+| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
+| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
+| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
+| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| SeSystemtimePrivilege | Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+
+## Security Monitoring Recommendations
+
+For 4739(S): Domain Policy was changed.
+
+- Any settings changes to “**Account Lockout Policy**”, “**Password Policy**”, or “**Network security: Force logoff when logon hours expire**”, plus any **domain functional level and attributes** changes that are reported by this event, must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4740.md b/windows/keep-secure/event-4740.md
new file mode 100644
index 0000000000..7ab01449c8
--- /dev/null
+++ b/windows/keep-secure/event-4740.md
@@ -0,0 +1,121 @@
+---
+title: 4740(S) A user account was locked out. (Windows 10)
+description: Describes security event 4740(S) A user account was locked out.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4740(S): A user account was locked out.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user account is locked out.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4740
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175703
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Auditor
+ WIN81
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that performed the lockout operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the lockout operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Account That Was Locked Out:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was locked out. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was locked out.
+
+**Additional Information:**
+
+- **Caller Computer Name** \[Type = UnicodeString\]**:** the name of computer account from which logon attempt was received and after which target account was locked out. For example: WIN81.
+
+## Security Monitoring Recommendations
+
+For 4740(S): A user account was locked out.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If you have high-value domain or local accounts (for example, domain administrator accounts) for which you need to monitor every lockout, monitor all [4740](event-4740.md) events with the **“Account That Was Locked Out \\Security ID”** values that correspond to the accounts.
+
+
+
+- If you have a high-value domain or local account for which you need to monitor every change, monitor all [4740](event-4740.md) events with the **“Account That Was Locked Out \\Security ID”** that corresponds to the account.
+
+- If the user account **“Account That Was Locked Out\\Security ID”** should not be used (for authentication attempts) from the **Additional Information\\Caller Computer Name**, then trigger an alert.
+
+- Monitor for all [4740](event-4740.md) events where **Additional Information\\Caller Computer Name** is not from your domain. However, be aware that even if the computer is not in your domain you will get the computer name instead of an IP address in the [4740](event-4740.md) event.
+
diff --git a/windows/keep-secure/event-4741.md b/windows/keep-secure/event-4741.md
new file mode 100644
index 0000000000..52d8a70a84
--- /dev/null
+++ b/windows/keep-secure/event-4741.md
@@ -0,0 +1,329 @@
+---
+title: 4741(S) A computer account was created. (Windows 10)
+description: Describes security event 4741(S) A computer account was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4741(S): A computer account was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a new computer object is created.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4741
+ 0
+ 0
+ 13825
+ 0
+ 0x8020000000000000
+
+ 170254
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ WIN81$
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6116
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0xc88b2
+ -
+ WIN81$
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 8/12/2015 11:41:39 AM
+ %%1794
+ 515
+ -
+ 0x0
+ 0x80
+ %%2087
+ -
+ -
+ %%1793
+ Win81.contoso.local
+ HOST/Win81.contoso.local RestrictedKrbHost/Win81.contoso.local HOST/WIN81 RestrictedKrbHost/WIN81
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “create Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create Computer object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**New Computer Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of created computer account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the computer account that was created. For example: WIN81$
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain name of created computer account. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+**Attributes:**
+
+- **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new computer object. For example: WIN81$.
+
+- **Display Name** \[Type = UnicodeString\]: the value of **displayName** attribute of new computer object. It is a name displayed in the address book for a particular account (typically – user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of **userPrincipalName** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. This parameter contains the value of **homeDirectory** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form “DRIVE\_LETTER:”. For example – “H:”. This parameter contains the value of **homeDrive** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account's logon script. This parameter contains the value of **scriptPath** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of **profilePath** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. This parameter contains the value of **userWorkstations** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. For manually created computer account, using Active Directory Users and Computers snap-in, this field typically has value “**<never>”**. For computer account created during standard domain join procedure this field will contains time when computer object was created, because password creates during domain join procedure. For example: 8/12/2015 11:41:39 AM. This parameter contains the value of **pwdLastSet** attribute of new computer object.
+
+- **Account Expires** \[Type = UnicodeString\]: the date when the account expires. This parameter contains the value of **accountExpires** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of computer’s object primary group.
+
+> **Note** **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
+
+Typically, **Primary Group** field for new computer accounts has the following values:
+
+- 516 (Domain Controllers) – for domain controllers.
+
+- 521 (Read-only Domain Controllers) – for read-only domain controllers (RODC).
+
+- 515 (Domain Computers) – for member servers and workstations.
+
+ See this article for more information. This parameter contains the value of **primaryGroupID** attribute of new computer object.
+
+
+
+- **AllowedToDelegateTo** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of computer account. Typically it is set to “**-“** for new computer objects. This parameter contains the value of **AllowedToDelegateTo** attribute of new computer object. See description of **AllowedToDelegateTo** field for “[4742](event-4742.md): A computer account was changed” event for more details.
+
+> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
+
+- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always **“0x0”** for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object.
+
+- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object.
+
+To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
+
+Here's an example: Flags value from event: 0x15
+
+Decoding:
+
+• PASSWD\_NOTREQD 0x0020
+
+• LOCKOUT 0x0010
+
+• HOMEDIR\_REQUIRED 0x0008
+
+• (undeclared) 0x0004
+
+• ACCOUNTDISABLE 0x0002
+
+• SCRIPT 0x0001
+
+0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
+
+0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
+
+0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
+
+0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
+
+0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
+
+So this UAC flags value decodes to: LOCKOUT and SCRIPT
+
+- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event.
+
+| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
+|-------------------------------------------------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
+| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. |
+| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled Account Enabled |
+| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. |
+| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled 'Home Directory Required' - Disabled |
+| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. |
+| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled 'Password Not Required' - Disabled |
+| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. |
+| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password. Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled 'Encrypted Text Password Allowed' - Enabled |
+| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
+| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled 'Normal Account' - Enabled |
+| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
+| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled 'Workstation Trust Account' - Enabled |
+| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled 'Server Trust Account' - Disabled |
+| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account. Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled 'Don't Expire Password' - Enabled |
+| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled 'MNS Logon Account' - Enabled |
+| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled 'Smartcard Required' - Enabled |
+| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account. If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled 'Trusted For Delegation' - Disabled |
+| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation. Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled 'Not Delegated' - Enabled |
+| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled 'Use DES Key Only' - Enabled |
+| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on. Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled 'Don't Require Preauth' - Enabled |
+| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. |
+| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network. If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled 'Trusted To Authenticate For Delegation' - Enabled |
+| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
+
+> Table 7. User’s or Computer’s account UAC flags.
+
+- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new computer object. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will see **<value not set>** value for new created computer accounts in event 4741.
+
+- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“.
+
+- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation**:**
+
+ HOST/Win81.contoso.local
+
+ RestrictedKrbHost/Win81.contoso.local
+
+ HOST/WIN81
+
+ RestrictedKrbHost/WIN81
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
+| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Delegation** setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
+| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
+| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
+| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| SeSystemtimePrivilege | Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+
+> Table 8. User Privileges.
+
+## Security Monitoring Recommendations
+
+For 4741(S): A computer account was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If your information security monitoring policy requires you to monitor computer account creation, monitor this event.
+
+- Consider whether to track the following fields and values:
+
+| **Field and value to track** | **Reason to track** |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **SAM Account Name**: empty or - | This field must contain the computer account name. If it is empty or **-**, it might indicate an anomaly. |
+| **Display Name** is not - **User Principal Name** is not - **Home Directory** is not - **Home Drive** is not - **Script Path** is not - **Profile Path** is not - **User Workstations** is not - **AllowedToDelegateTo** is not - | Typically these fields are **-** for new computer accounts. Other values might indicate an anomaly and should be monitored. |
+| **Password Last Set** is **<never>** | This typically means this is a manually created computer account, which you might need to monitor. |
+| **Account Expires** is not **<never>** | Typically this field is **<never>** for new computer accounts. Other values might indicate an anomaly and should be monitored. |
+| **Primary Group ID** is any value other than 515. | Typically, the **Primary Group ID** value is one of the following: **516** for domain controllers **521** for read only domain controllers (RODCs) **515** for servers and workstations (domain computers) If the **Primary Group ID** is 516 or 521, it is a new domain controller or RODC, and the event should be monitored. If the value is not 516, 521, or 515, it is not a typical value and should be monitored. |
+| **Old UAC Value** is not 0x0 | Typically this field is **0x0** for new computer accounts. Other values might indicate an anomaly and should be monitored. |
+| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
+| **Logon Hours** value other than **<value not set>** | This should always be **<value not set>** for new computer accounts. |
+
+- Consider whether to track the following account control flags:
+
+| **User account control flag to track** | **Information about the flag** |
+|--------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **'Encrypted Text Password Allowed'** – Enabled | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers. |
+| **'Server Trust Account'** – Enabled | Should be enabled **only** for domain controllers. |
+| **'Don't Expire Password'** – Enabled | Should not be enabled for new computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers. |
+| **'Smartcard Required'** – Enabled | Should not be enabled for new computer accounts. |
+| **'Trusted For Delegation'** – Enabled | Should not be enabled for new member servers and workstations. It is enabled by default for new domain controllers. |
+| **'Not Delegated'** – Enabled | Should not be enabled for new computer accounts. |
+| **'Use DES Key Only'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
+| **'Don't Require Preauth'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
+| **'Trusted To Authenticate For Delegation'** – Enabled | Should not be enabled for new computer accounts by default. |
+
diff --git a/windows/keep-secure/event-4742.md b/windows/keep-secure/event-4742.md
new file mode 100644
index 0000000000..b09dba8333
--- /dev/null
+++ b/windows/keep-secure/event-4742.md
@@ -0,0 +1,295 @@
+---
+title: 4742(S) A computer account was changed. (Windows 10)
+description: Describes security event 4742(S) A computer account was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4742(S): A computer account was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a computer object is changed.
+
+This event generates only on domain controllers.
+
+You might see the same values for **Subject**\\**Security ID** and **Computer Account That Was Changed**\\**Security ID** in this event. This usually happens when you reboot a computer after adding it to the domain (the change takes effect after the reboot).
+
+For each change, a separate 4742 event will be generated.
+
+Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
+
+You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
+
+***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4742
+ 0
+ 0
+ 13825
+ 0
+ 0x8020000000000000
+
+ 171754
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ -
+ WIN81$
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6116
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x2e80c
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ %%1793
+ 0x80
+ 0x2080
+ %%2093
+ -
+ -
+ -
+ -
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change Computer object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Computer Account That Was Changed:**
+
+- **Security ID** \[Type = SID\]**:** SID of changed computer account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the computer account that was changed. For example: WIN81$
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain name of changed computer account. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+**Changed Attributes:**
+
+> **Note** If attribute was not changed it will have “-“ value.
+
+- **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of computer object was changed, you will see the new value here. For example: WIN8$.
+
+- **Display Name** \[Type = UnicodeString\]: it is a name displayed in the address book for a particular account (typically – user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. If the value of **displayName** attribute of computer object was changed, you will see the new value here.
+
+- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. If the value of **userPrincipalName** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. If the value of **homeDirectory** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form “DRIVE\_LETTER:”. For example – “H:”. If the value of **homeDrive** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account’s logon script. If the value of **scriptPath** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. If the value of **profilePath** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. If the value of **userWorkstations** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. If the value of **pwdLastSet** attribute of computer object was changed, you will see the new value here. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual computer account reset action or automatically every 30 days by default for computer objects.
+
+- **Account Expires** \[Type = UnicodeString\]: the date when the account expires. If the value of **accountExpires** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of computer’s object primary group.
+
+> **Note** **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
+
+This field will contain some value if computer’s object primary group was changed. You can change computer’s primary group using Active Directory Users and Computers management console in the **Member Of** tab of computer object properties. You will see a RID of new primary group as a field value. For example, 515 (Domain Computers) for workstations, is a default primary group.
+
+Typical **Primary Group** values for computer accounts:
+
+- 516 (Domain Controllers) – for domain controllers.
+
+- 521 (Read-only Domain Controllers) – read-only domain controllers (RODC).
+
+- 515 (Domain Computers) – servers and workstations.
+
+ See this article for more information. If the value of **primaryGroupID** attribute of computer object was changed, you will see the new value here.
+
+
+
+- **AllowedToDelegateTo** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of computer account. If the SPNs list on **Delegation** tab of a computer account was changed, you will see the new SPNs list in **AllowedToDelegateTo** field (note that you will see the new list instead of changes) of this event. This is an example of **AllowedToDelegateTo**:
+
+ - dcom/WIN2012
+
+ - dcom/WIN2012.contoso.local
+
+ If the value of **msDS-AllowedToDelegateTo** attribute of computer object was changed, you will see the new value here.
+
+ The value can be **<value not set>**, for example, if delegation was disabled.
+
+> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
+
+- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of **userAccountControl** attribute of computer object.
+
+- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. If the value of **userAccountControl** attribute of computer object was changed, you will see the new value here.
+
+To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
+
+Here's an example: Flags value from event: 0x15
+
+Decoding:
+
+• PASSWD\_NOTREQD 0x0020
+
+• LOCKOUT 0x0010
+
+• HOMEDIR\_REQUIRED 0x0008
+
+• (undeclared) 0x0004
+
+• ACCOUNTDISABLE 0x0002
+
+• SCRIPT 0x0001
+
+0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
+
+0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
+
+0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
+
+0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
+
+0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
+
+So this UAC flags value decodes to: LOCKOUT and SCRIPT
+
+- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account UAC flags.”. In the “User Account Control field text” column, you can see text that will be displayed in the **User Account Control** field in 4742 event.
+
+
+
+- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see **<value changed, but not displayed>** in this field.
+
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of computer object was changed, you will see the new value here.
+
+- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. If the value of **logonHours** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+
+- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. If the value of **dNSHostName** attribute of computer object was changed, you will see the new value here.
+
+
+
+- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here.
+
+ Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots**:**
+
+ HOST/Win81.contoso.local
+
+ RestrictedKrbHost/Win81.contoso.local
+
+ HOST/WIN81
+
+ RestrictedKrbHost/WIN81
+
+TERMSRV/Win81.contoso.local
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4742(S): A computer account was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have critical domain computer accounts (database servers, domain controllers, administration workstations, and so on) for which you need to monitor each change, monitor this event with the **“Computer Account That Was Changed\\Security ID”** that corresponds to the high-value account or accounts.
+
+- If you have computer accounts for which any change in the services list on the **Delegation** tab should be monitored, monitor this event when **AllowedToDelegateTo** is not -. This value means the services list was changed.
+
+- Consider whether to track the following fields and values:
+
+| **Field and value to track** | **Reason to track** |
+|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Display Name** is not - **User Principal Name** is not - **Home Directory** is not - **Home Drive** is not - **Script Path** is not - **Profile Path** is not - **User Workstations** is not - **Account Expires** is not - **Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. |
+| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. |
+| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following: **516** for domain controllers **521** for read only domain controllers (RODCs) **515** for servers and workstations (domain computers) Other values should be monitored. |
+| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
+| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
+
+- Consider whether to track the following account control flags:
+
+| **User account control flag to track** | **Information about the flag** |
+|---------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **'Password Not Required'** – Enabled | Should not be set for computer accounts. Computer accounts typically require a password by default, except manually created computer objects. |
+| **'Encrypted Text Password Allowed'** – Enabled | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers. |
+| **'Server Trust Account'** – Enabled | Should be enabled **only** for domain controllers. |
+| **'Server Trust Account'** – Disabled | Should **not** be disabled for domain controllers. |
+| **'Don't Expire Password'** – Enabled | Should not be enabled for computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers. |
+| **'Smartcard Required'** – Enabled | Should not be enabled for computer accounts. |
+| **'Trusted For Delegation'** – Enabled | Means that Kerberos Constraint or Unconstraint delegation was enabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
+| **'Trusted For Delegation'** – Disabled | Means that Kerberos Constraint or Unconstraint delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts. |
+| **'Trusted To Authenticate For Delegation'** – Enabled | Means that Protocol Transition delegation was enabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
+| **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts. |
+| **'Not Delegated'** – Enabled | Means that **Account is sensitive and cannot be delegated** was selected for the computer account. For computer accounts, this flag cannot be set using the graphical interface. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
+| **'Use DES Key Only'** – Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
+| **'Don't Require Preauth'** - Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
+
diff --git a/windows/keep-secure/event-4743.md b/windows/keep-secure/event-4743.md
new file mode 100644
index 0000000000..42f7e90f14
--- /dev/null
+++ b/windows/keep-secure/event-4743.md
@@ -0,0 +1,118 @@
+---
+title: 4743(S) A computer account was deleted. (Windows 10)
+description: Describes security event 4743(S) A computer account was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4743(S): A computer account was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a computer object is deleted.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4743
+ 0
+ 0
+ 13825
+ 0
+ 0x8020000000000000
+
+ 172103
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ COMPUTERACCOUNT$
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6118
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3007b
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete Computer object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Computer:**
+
+- **Security ID** \[Type = SID\]**:** SID of deleted computer account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the computer account that was deleted. For example: WIN81$
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain name of deleted computer account. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4743(S): A computer account was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have critical domain computer accounts (database servers, domain controllers, administration workstations, and so on) for which you need to monitor each action (especially deletion), monitor this event with the **“Target Computer\\Security ID”** or “**Target Computer\\Account Name**” that corresponds to the high-value account or accounts.
+
diff --git a/windows/keep-secure/event-4749.md b/windows/keep-secure/event-4749.md
new file mode 100644
index 0000000000..321a4a3e52
--- /dev/null
+++ b/windows/keep-secure/event-4749.md
@@ -0,0 +1,128 @@
+---
+title: 4749(S) A security-disabled global group was created. (Windows 10)
+description: Describes security event 4749(S) A security-disabled global group was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4749(S): A security-disabled global group was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new security-disabled (distribution) global group was created.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4749
+ 0
+ 0
+ 13827
+ 0
+ 0x8020000000000000
+
+ 172181
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ ServiceDesk
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6119
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3007b
+ -
+ ServiceDesk
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “create group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of created group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group that was created. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]**:** domain name of created group. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+**Attributes:**
+
+- **SAM Account Name** \[Type = UnicodeString\]: This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new group object. For example: ServiceDesk
+
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new group object. This parameter might not be captured in the event, and in that case appears as “-”.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4749(S): A security-disabled global group was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor each time a new distribution group is created, to see who created the group and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
+- If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
+
diff --git a/windows/keep-secure/event-4750.md b/windows/keep-secure/event-4750.md
new file mode 100644
index 0000000000..17f5d8eb84
--- /dev/null
+++ b/windows/keep-secure/event-4750.md
@@ -0,0 +1,148 @@
+---
+title: 4750(S) A security-disabled global group was changed. (Windows 10)
+description: Describes security event 4750(S) A security-disabled global group was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4750(S): A security-disabled global group was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-disabled (distribution) global group is changed.
+
+This event generates only on domain controllers.
+
+Some changes do not invoke a 4750 event, for example, changes made using the Active Directory Users and Computers management console in **Managed By** tab in group account properties.
+
+If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
+
+If you change the group type, you get a change event from the new group type auditing subcategory instead of 4750. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
+
+From 4750 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4750
+ 0
+ 0
+ 13827
+ 0
+ 0x8020000000000000
+
+ 172188
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ ServiceDeskMain
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6119
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3007b
+ -
+ ServiceDeskMain
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of changed group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** Sometimes you can see the **Group\\Security ID** field contains an old group name in Event Viewer (as you can see in the event example). That happens because Event Viewer caches names for SIDs that it has already resolved for the current session.
+
+> **Note** **Security ID** field has the same value as new group name (**Changed Attributes>SAM Account Name**). That is happens because event is generated after name was changed and SID resolves to the new name. It is always better to use SID instead of group names for queries or filtering of events, because you will know for sure that this the right object you are looking for or want to monitor.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group that was changed. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]**:** domain name of changed group. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Changed Attributes:**
+
+> **Note** If attribute was not changed it will have “-“ value.
+
+> **Note** You might see a 4750 event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4750 event will generate, but all attributes will be “-“.
+
+- **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk.
+
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of group object was changed, you will see the new value here.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4750(S): A security-disabled global group was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups.
+
+- If you need to monitor each time a member is added to a distribution group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
+- If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
+
diff --git a/windows/keep-secure/event-4751.md b/windows/keep-secure/event-4751.md
new file mode 100644
index 0000000000..ea37165fce
--- /dev/null
+++ b/windows/keep-secure/event-4751.md
@@ -0,0 +1,161 @@
+---
+title: 4751(S) A member was added to a security-disabled global group. (Windows 10)
+description: Describes security event 4751(S) A member was added to a security-disabled global group.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4751(S): A member was added to a security-disabled global group.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new member was added to a security-disabled (distribution) global group.
+
+This event generates only on domain controllers.
+
+For every added member you will get separate 4751 event.
+
+You will typically see “[4750](event-4750.md): A security-disabled global group was changed.” event without any changes in it prior to 4751 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4751
+ 0
+ 0
+ 13827
+ 0
+ 0x8020000000000000
+
+ 172221
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CN=Auditor,CN=Users,DC=contoso,DC=local
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ ServiceDeskSecond
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6119
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3007b
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “add member to the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add member to the group” operation.
+
+
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Member:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of the group to which new member was added. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group to which new member was added. For example: ServiceDesk
+
+
+
+- **Group Domain** \[Type = UnicodeString\]**:** domain name of the group to which new member was added. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4751(S): A member was added to a security-disabled global group.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Addition of members to distribution groups:** You might need to monitor the addition of members to distribution groups. | If you need to monitor each time a member is added to a distribution group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed. |
+| **High-value distribution groups:** You might have a list of critical distribution groups in the organization, and need to specifically monitor these groups for the addition of new members (or for other changes). | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value distribution groups. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
diff --git a/windows/keep-secure/event-4752.md b/windows/keep-secure/event-4752.md
new file mode 100644
index 0000000000..28d38b44a5
--- /dev/null
+++ b/windows/keep-secure/event-4752.md
@@ -0,0 +1,152 @@
+---
+title: 4752(S) A member was removed from a security-disabled global group. (Windows 10)
+description: Describes security event 4752(S) A member was removed from a security-disabled global group.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4752(S): A member was removed from a security-disabled global group.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time member was removed from the security-disabled (distribution) global group.
+
+This event generates only on domain controllers.
+
+For every removed member you will get separate 4752 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4752
+ 0
+ 0
+ 13827
+ 0
+ 0x8020000000000000
+
+ 172229
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CN=Auditor,CN=Users,DC=contoso,DC=local
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ ServiceDeskSecond
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6119
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3007b
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove member from the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove member from the group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Member:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was removed from the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of the group from which the member was removed. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group from which the member was removed. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]**:** domain name of the group from which the member was removed. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4752(S): A member was removed from a security-disabled global group.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Removal of members from distribution groups:** You might need to monitor the removal of members from distribution groups. | If you need to monitor each time a member is removed from a distribution group, to see who removed the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed. |
+| **High-value distribution groups:** You might have a list of critical distribution groups in the organization, and need to specifically monitor these groups for the removal of members (or for other changes). | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value distribution groups. |
+| **Distribution groups with required members**: You might need to ensure that for certain distribution groups, particular members are never removed. | Monitor this event with the “**Group\\Group Name”** that corresponds to the group of interest, and the **“Member\\Security ID”** of the members who should not be removed. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
diff --git a/windows/keep-secure/event-4753.md b/windows/keep-secure/event-4753.md
new file mode 100644
index 0000000000..5cc018f286
--- /dev/null
+++ b/windows/keep-secure/event-4753.md
@@ -0,0 +1,124 @@
+---
+title: 4753(S) A security-disabled global group was deleted. (Windows 10)
+description: Describes security event 4753(S) A security-disabled global group was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4753(S): A security-disabled global group was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-disabled (distribution) global group is deleted.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4753
+ 0
+ 0
+ 13827
+ 0
+ 0x8020000000000000
+
+ 172230
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ ServiceDeskSecond
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6119
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3007b
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete group” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of deleted group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group that was deleted. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]**:** domain name of deleted group. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4753(S): A security-disabled global group was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups.
+
+- If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
+
+
diff --git a/windows/keep-secure/event-4764.md b/windows/keep-secure/event-4764.md
new file mode 100644
index 0000000000..e5bcc13c9a
--- /dev/null
+++ b/windows/keep-secure/event-4764.md
@@ -0,0 +1,142 @@
+---
+title: 4764(S) A group's type was changed. (Windows 10)
+description: Describes security event 4764(S) A group’s type was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4764(S): A group’s type was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time group’s type is changed.
+
+This event generates for both security and distribution groups.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4764
+ 0
+ 0
+ 13826
+ 0
+ 0x8020000000000000
+
+ 175221
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Security Enabled Local Group Changed to Security Disabled Local Group.
+ CompanyAuditors
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6608
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x38200
+ -
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “change group type” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group type” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Change Type** \[Type = UnicodeString\]**:** contains three parts: “<Param1> **Changed To** <Param2>.”. These two parameters can have the following values (they cannot have the same value at the same time):
+
+- Security Disabled Local Group
+
+- Security Disabled Universal Group
+
+- Security Disabled Global Group
+
+- Security Enabled Local Group
+
+- Security Enabled Universal Group
+
+- Security Enabled Global Group
+
+**Group:**
+
+- **Security ID** \[Type = SID\]**:** SID of changed group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name** \[Type = UnicodeString\]**:** the name of the group, which type was changed. For example: ServiceDesk
+
+- **Group Domain** \[Type = UnicodeString\]: domain or computer name of the changed group. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
+
+ - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4764(S): A group’s type was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a list of critical local or domain groups in the organization, and need to specifically monitor these groups for any change, especially group type change, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups. Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, critical distribution groups, and so on.
+
+- If you need to monitor each time any group’s type is changed, to see who changed it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
diff --git a/windows/keep-secure/event-4765.md b/windows/keep-secure/event-4765.md
new file mode 100644
index 0000000000..f1bc1a4995
--- /dev/null
+++ b/windows/keep-secure/event-4765.md
@@ -0,0 +1,69 @@
+---
+title: 4765(S) SID History was added to an account. (Windows 10)
+description: Describes security event 4765(S) SID History was added to an account.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4765(S): SID History was added to an account.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates when [SID History](https://msdn.microsoft.com/en-us/library/ms679833(v=vs.85).aspx) was added to an account.
+
+See more information about SID History here: .
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Schema:***
+
+*SID History was added to an account.*
+
+*Subject:*
+
+> *Security ID:%6*
+>
+> *Account Name:%7*
+>
+> *Account Domain:%8*
+>
+> *Logon ID:%9*
+
+*Target Account:*
+
+> *Security ID:%5*
+>
+> *Account Name:%3*
+>
+> *Account Domain:%4*
+
+*Source Account:*
+
+> *Security ID:%2*
+>
+> *Account Name:%1*
+
+*Additional Information:*
+
+> *Privileges:%10*
+>
+> *SID List:%11*
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-4766.md b/windows/keep-secure/event-4766.md
new file mode 100644
index 0000000000..b3d0a00060
--- /dev/null
+++ b/windows/keep-secure/event-4766.md
@@ -0,0 +1,65 @@
+---
+title: 4766(F) An attempt to add SID History to an account failed. (Windows 10)
+description: Describes security event 4766(F) An attempt to add SID History to an account failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4766(F): An attempt to add SID History to an account failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates when an attempt to add [SID History](https://msdn.microsoft.com/en-us/library/ms679833(v=vs.85).aspx) to an account failed.
+
+See more information about SID History here: .
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Schema:***
+
+*An attempt to add SID History to an account failed.*
+
+*Subject:*
+
+> *Security ID:-*
+>
+> *Account Name:%5*
+>
+> *Account Domain:%6*
+>
+> *Logon ID:%7*
+
+*Target Account:*
+
+> *Security ID:%4*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+
+*Source Account:*
+
+> *Account Name:%1*
+
+*Additional Information:*
+
+> *Privileges:%8*
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-4767.md b/windows/keep-secure/event-4767.md
new file mode 100644
index 0000000000..a189b84db0
--- /dev/null
+++ b/windows/keep-secure/event-4767.md
@@ -0,0 +1,117 @@
+---
+title: 4767(S) A user account was unlocked. (Windows 10)
+description: Describes security event 4767(S) A user account was unlocked.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4767(S): A user account was unlocked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user account is unlocked.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4767
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175705
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Auditor
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d5f
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that performed the unlock operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the unlock operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that was unlocked. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was unlocked.
+
+- **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+## Security Monitoring Recommendations
+
+For 4767(S): A user account was unlocked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring all [4767](event-4767.md) events for local accounts.
+
diff --git a/windows/keep-secure/event-4768.md b/windows/keep-secure/event-4768.md
new file mode 100644
index 0000000000..edcc1952bc
--- /dev/null
+++ b/windows/keep-secure/event-4768.md
@@ -0,0 +1,342 @@
+---
+title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10)
+description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+***Event Description:***
+
+This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
+
+This event generates only on domain controllers.
+
+If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
+
+This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4768
+ 0
+ 0
+ 14339
+ 0
+ 0x8020000000000000
+
+ 166747
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ dadmin
+ CONTOSO.LOCAL
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ krbtgt
+ S-1-5-21-3457937927-2839227994-823803824-502
+ 0x40810010
+ 0x0
+ 0x12
+ 15
+ ::ffff:10.0.0.12
+ 49273
+ contoso-DC01-CA-1
+ 1D0000000D292FBE3C6CDDAFA200020000000D
+ 564DFAEE99C71D62ABC553E695BD8DBC46669413
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Account Information:**
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of account, for which (TGT) ticket was requested. Computer account name ends with **$** character.
+
+ - User account example: dadmin
+
+ - Computer account example: WIN81$
+
+- **Supplied Realm Name** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+> **Note** A **Kerberos Realm** is a set of managed nodes that share the same Kerberos database. The Kerberos database resides on the Kerberos master computer system, which should be kept in a physically secure room. Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.
+
+- **User ID** \[Type = SID\]**:** SID of account for which (TGT) ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+ For example: CONTOSO\\dadmin or CONTOSO\\WIN81$.
+
+ - **NULL SID** – this value shows in [4768](event-4768.md) Failure events.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+**Service Information:**
+
+- **Service Name** \[Type = UnicodeString\]: the name of the service in the Kerberos Realm to which TGT request was sent. Typically has value “**krbtgt”** for TGT requests, which means Ticket Granting Ticket issuing service.
+
+ - For Failure events **Service Name** typically has the following format: **krbtgt/REALM\_NAME**. For example: krbtgt/CONTOSO.
+
+- **Service ID** \[Type = SID\]**:** SID of the service account in the Kerberos Realm to which TGT request was sent. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+ Domain controllers have a specific service account (**krbtgt**) that is used by the [Key Distribution Center](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx) (KDC) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S-1-5-21-[DOMAIN\_IDENTIFIER](https://technet.microsoft.com/en-us/library/cc962011.aspx)-502.
+
+ - **NULL SID** – this value shows in [4768](event-4768.md) Failure events.
+
+**Network Information:**
+
+- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Formats vary, and include the following:
+
+ - **IPv6** or **IPv4** address.
+
+ - **::ffff:IPv4\_address**.
+
+ - **::1** - localhost.
+
+- **Client Port** \[Type = UnicodeString\]: source port number of client network connection (TGT request connection).
+
+ - 0 for local (localhost) requests.
+
+**Additional information:**
+
+- **Ticket Options** \[Type = HexInt32\]: this is a set of different ticket flags in hexadecimal format.
+
+ Example:
+
+ - Ticket Options: 0x40810010
+
+ - Binary view: 01000000100000010000000000010000
+
+ - Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
+
+> **Note** In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor the DISABLE-TRANSITED-CHECK option. Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
+| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
+| 28 | Enc-tkt-in-skey | No information. |
+| 29 | Unused | - |
+| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
+| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. |
+
+> Table 2. Kerberos ticket flags.
+
+> **Note** [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels.
+
+- **Result Code** \[Type = HexInt32\]**:** hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event.
+
+| Code | Code Name | Description | Possible causes |
+|------------------------------------------------------------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x0 | KDC\_ERR\_NONE | No error | No errors were found. |
+| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in KDC database has expired | No information. |
+| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in KDC database has expired | No information. |
+| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested Kerberos version number not supported | No information. |
+| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. |
+| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. |
+| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesn’t exist. |
+| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found. |
+| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. |
+| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. |
+| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future. It also can occur if there is a time difference between the client and the KDC. |
+| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. |
+| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction. |
+| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT. The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list |
+| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. |
+| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. |
+| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted. It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
+| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. |
+| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Client’s credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. |
+| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. |
+| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. |
+| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. |
+| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. |
+| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
+| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
+| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
+| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. |
+| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
+| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
+| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
+| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized. If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
+| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. |
+| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. |
+| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC. There is an account mismatch during protocol transition. |
+| 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. |
+| 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. |
+| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application. The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
+| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. This error also generated if use of UDP protocol is being attempted with User-to-User authentication. |
+| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server. The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. |
+| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
+| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. |
+| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. |
+| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. |
+| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. |
+| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. |
+| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. |
+| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
+| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
+| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
+| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC. Multiple recent password changes have not propagated. Crypto subsystem error caused by running out of memory. SPN too long. SPN has too many parts. |
+| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
+| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. |
+| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
+| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. |
+| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. |
+| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. |
+| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. |
+| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. |
+
+> Table 3. TGT/TGS issue error codes.
+
+- **Ticket Encryption Type** \[Type = HexInt32\]: the cryptographic suite that was used for issued TGT.
+
+
+
+## Table 4. Kerberos encryption types
+
+| Type | Type Name | Description |
+|-----------------------------------------------------------------|-------------------------|-----------------------------------------------------------------------------------|
+| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. |
+| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. |
+| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. |
+| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. |
+| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
+| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
+| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. |
+
+
+- **Pre-Authentication Type** \[Type = UnicodeString\]: the code number of [pre-Authentication](https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx) type which was used in TGT request.
+
+
+## Table 5. Kerberos Pre-Authentication types.
+
+| Type | Type Name | Description |
+|------------------------------------------------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | - | Logon without Pre-Authentication. |
+| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. |
+| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value. Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
+| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
+| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. |
+| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value. Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
+| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. |
+| 138 | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients. |
+| - | | This type shows in Audit Failure events. |
+
+**Certificate Information:**
+
+- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate.
+
+- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate.
+
+- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate.
+
+## Security Monitoring Recommendations
+
+For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the whitelist. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. |
+
+- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
+
+- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the whitelist, generate the alert.
+
+- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
+
+- All [4768](event-4768.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.
+
+- Also consider monitoring the fields shown in the following table, to discover the issues listed:
+
+| **Field** | **Issue to discover** |
+|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Certificate Issuer Name** | Certification authority name is not from your PKI infrastructure. |
+| **Certificate Issuer Name** | Certification authority name is not authorized to issue smart card authentication certificates. |
+| **Pre-Authentication Type** | Value is **0**, which means that pre-authentication was not used. All accounts should use Pre-Authentication, except accounts configured with “Do not require Kerberos preauthentication,” which is a security risk. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
+| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
+| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
+| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
+| **Ticket Encryption Type** | Value is **0x1** or **0x3**, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2. For more information, see [Table 4. Kerberos encryption types](#kerberos-encryption-types). |
+| **Ticket Encryption Type** | Starting with Windows Vista and Windows Server 2008, monitor for values **other than 0x11 and 0x12**. These are the expected values, starting with these operating systems, and represent AES-family algorithms. For more information, see [Table 4. Kerberos encryption types](#kerberos-encryption-types). |
+| **Result Code** | **0x6** (The username doesn't exist), if you see, for example N events in last N minutes. This can be an indicator of account enumeration attack, especially for highly critical accounts. |
+| **Result Code** | **0x7** (Server not found in Kerberos database). This error can occur if the domain controller cannot find the server's name in Active Directory. |
+| **Result Code** | **0x8** (Multiple principal entries in KDC database). This will help you to find duplicate SPNs faster. |
+| **Result Code** | **0x9** (The client or server has a null key (master key)). This error can help you to identify problems with Kerberos authentication faster. |
+| **Result Code** | **0xA** (Ticket (TGT) not eligible for postdating). Microsoft systems should not request postdated tickets. These events could help identify anomaly activity. |
+| **Result Code** | **0xC** (Requested start time is later than end time), if you see, for example N events in last N minutes. This can be an indicator of an account compromise attempt, especially for highly critical accounts. |
+| **Result Code** | **0xE** (KDC has no support for encryption type). In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. Monitor for these events because this should not happen in a standard Active Directory environment. |
+| **Result Code** | **0xF** (KDC has no support for checksum type). Monitor for these events because this should not happen in a standard Active Directory environment. |
+| **Result Code** | **0x12** (Client's credentials have been revoked), if you see, for example N events in last N minutes. This can be an indicator of anomaly activity or brute-force attack, especially for highly critical accounts. |
+| **Result Code** | **0x1F** (Integrity check on decrypted field failed). The authenticator was encrypted with something other than the session key. The result is that the KDC cannot decrypt the TGT. The modification of the message could be the result of an attack or it could be because of network noise. |
+| **Result Code** | **0x22** (The request is a replay). This error indicates that a specific authenticator showed up twice—the KDC has detected that this session ticket duplicates one that it has already received. It could be a sign of attack attempt. |
+| **Result Code** | **0x29** (Message stream modified and checksum didn't match). The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. Monitor for these events because this should not happen in a standard Active Directory environment. |
+| **Result Code** | **0x3C** (Generic error). This error can help you more quickly identify problems with Kerberos authentication. |
+| **Result Code** | **0x3E** (The client trust failed or is not implemented). This error helps you identify logon attempts with revoked certificates and the situations when the root Certification Authority that issued the smart card certificate (through a chain) is not trusted by a domain controller. |
+| **Result Code** | **0x3F**, **0x40**, **0x41** errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication. |
+
diff --git a/windows/keep-secure/event-4769.md b/windows/keep-secure/event-4769.md
new file mode 100644
index 0000000000..ecb3b28900
--- /dev/null
+++ b/windows/keep-secure/event-4769.md
@@ -0,0 +1,287 @@
+---
+title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10)
+description: Describes security event 4769(S, F) A Kerberos service ticket was requested.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4769(S, F): A Kerberos service ticket was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+***Event Description:***
+
+This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request.
+
+This event generates only on domain controllers.
+
+If TGS issue fails then you will see Failure event with **Failure Code** field not equal to “**0x0**”.
+
+You will typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+4769
+0
+0
+14337
+0
+0x8020000000000000
+
+166746
+
+
+Security
+DC01.contoso.local
+
+
+-
+dadmin@CONTOSO.LOCAL
+CONTOSO.LOCAL
+WIN2008R2$
+S-1-5-21-3457937927-2839227994-823803824-2102
+0x40810000
+0x12
+::ffff:10.0.0.12
+49272
+0x0
+{F85C455E-C66E-205C-6B39-F6C60A7FE453}
+-
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Account Information:**
+
+- **Account Name** \[Type = UnicodeString\]**:** the User Principal Name (UPN) of the account that requested the ticket. Computer account name ends with **$** character in UPN. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME.
+
+ - User account example: dadmin@CONTOSO.LOCAL
+
+ - Computer account example: WIN81$@CONTOSO.LOCAL
+
+ This parameter in this event is optional and can be empty in some cases.
+
+- **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ This parameter in this event is optional and can be empty in some cases.
+
+- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same **Logon GUID**. These events are “[4624](event-4624.md): An account was successfully logged on”, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+**Service Information:**
+
+- **Service Name** \[Type = UnicodeString\]: the name of the account or computer for which the TGS ticket was requested.
+
+ - This parameter in this event is optional and can be empty in some cases.
+
+- **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+ - **NULL SID** – this value shows in Failure events.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+**Network Information:**
+
+- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGS request was received. Formats vary, and include the following:
+
+ - **IPv6** or **IPv4** address.
+
+ - **::ffff:IPv4\_address**.
+
+ - **::1** - localhost.
+
+- **Client Port** \[Type = UnicodeString\]: source port number of client network connection (TGS request connection).
+
+ - 0 for local (localhost) requests.
+
+**Additional information:**
+
+- **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
+
+ Example:
+
+ - Ticket Options: 0x40810010
+
+ - Binary view: 01000000100000010000000000010000
+
+ - Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
+
+> **Note** In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor the DISABLE-TRANSITED-CHECK option. Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
+| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
+| 28 | Enc-tkt-in-skey | No information. |
+| 29 | Unused | - |
+| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
+| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.
+## Table 4. Kerberos encryption types |
+
+- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS.
+
+| Type | Type Name | Description |
+|--------------------------|-------------------------|-----------------------------------------------------------------------------------|
+| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. |
+| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. |
+| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. |
+| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. |
+| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
+| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
+| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. |
+
+- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. The table below contains the list of the most common error codes for this event:
+
+| Code | Code Name | Description | Possible causes |
+|------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x0 | KDC\_ERR\_NONE | No error | No errors were found. |
+| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in KDC database has expired | No information. |
+| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in KDC database has expired | No information. |
+| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested Kerberos version number not supported | No information. |
+| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. |
+| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. |
+| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesn’t exist. |
+| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found. |
+| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. |
+| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. |
+| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future. It also can occur if there is a time difference between the client and the KDC. |
+| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. |
+| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction. |
+| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT. The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list |
+| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. |
+| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. |
+| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted. It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
+| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. |
+| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Client’s credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. |
+| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. |
+| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. |
+| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. |
+| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. |
+| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
+| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
+| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
+| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. |
+| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
+| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
+| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
+| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized. If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
+| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. |
+| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. |
+| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC. There is an account mismatch during protocol transition. |
+| 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. |
+| 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. |
+| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application. The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
+| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. This error also generated if use of UDP protocol is being attempted with User-to-User authentication. |
+| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server. The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. |
+| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
+| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. |
+| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. |
+| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. |
+| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. |
+| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. |
+| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. |
+| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
+| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
+| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
+| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC. Multiple recent password changes have not propagated. Crypto subsystem error caused by running out of memory. SPN too long. SPN has too many parts. |
+| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
+| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. |
+| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
+| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. |
+| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. |
+| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. |
+| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. |
+| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. |
+
+- **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if Kerberos delegation was used.
+
+> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
+
+## Security Monitoring Recommendations
+
+For 4769(S, F): A Kerberos service ticket was requested.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Account Information\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the accounts that should never be used. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Account Information\\Account Domain”** corresponding to another domain or “external” location. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Account Information\\Account Name”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. |
+
+- If you know that **Account Name** should never request any tickets for (that is, never get access to) a particular computer account or service account, monitor for [4769](event-4769.md) events with the corresponding **Account Name** and **Service ID** fields.
+
+- You can track all [4769](event-4769.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
+
+- If you know that **Account Name** should be able to request tickets (should be used) only from a known whitelist of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** is not from your whitelist of IP addresses, generate the alert.
+
+- All **Client Address** = ::1 means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have a whitelist of accounts allowed to log on to domain controllers, monitor events with **Client Address** = ::1 and any **Account Name** outside the whitelist.
+
+- All [4769](event-4769.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.
+
+- Monitor for a **Ticket Encryption Type** of **0x1** or **0x3**, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2.
+
+- Starting with Windows Vista and Windows Server 2008, monitor for a **Ticket Encryption Type** other than **0x11 and 0x12**. These are the expected values, starting with these operating systems, and represent AES-family algorithms.
+
+- If you have a list of important **Failure Codes**, monitor for these codes.
+
diff --git a/windows/keep-secure/event-4770.md b/windows/keep-secure/event-4770.md
new file mode 100644
index 0000000000..1c353eb67f
--- /dev/null
+++ b/windows/keep-secure/event-4770.md
@@ -0,0 +1,183 @@
+---
+title: 4770(S) A Kerberos service ticket was renewed. (Windows 10)
+description: Describes security event 4770(S) A Kerberos service ticket was renewed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4770(S): A Kerberos service ticket was renewed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+***Event Description:***
+
+This event generates for every Ticket Granting Service (TGS) ticket renewal.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4770
+ 0
+ 0
+ 14337
+ 0
+ 0x8020000000000000
+
+ 166481
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ WIN2008R2$@CONTOSO.LOCAL
+ CONTOSO.LOCAL
+ krbtgt
+ S-1-5-21-3457937927-2839227994-823803824-502
+ 0x2
+ 0x12
+ ::ffff:10.0.0.12
+ 49964
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Account Information:**
+
+- **Account Name** \[Type = UnicodeString\]**:** the User Principal Name (UPN) of the account that requested ticket renewal. Computer account name ends with **$** character in UPN. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME.
+
+ - User account example: dadmin@CONTOSO.LOCAL
+
+ - Computer account example: WIN81$@CONTOSO.LOCAL
+
+ This parameter in this event is optional and can be empty in some cases.
+
+- **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ This parameter in this event is optional and can be empty in some cases.
+
+**Service Information:**
+
+- **Service Name** \[Type = UnicodeString\]: the name of the account or computer for which the TGS ticket was renewed.
+
+ - This parameter in this event is optional and can be empty in some cases.
+
+- **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was renewed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+**Network Information:**
+
+- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGS renewal request was received. Formats vary, and include the following:
+
+ - **IPv6** or **IPv4** address.
+
+ - **::ffff:IPv4\_address**.
+
+ - **::1** - localhost.
+
+- **Client Port** \[Type = UnicodeString\]: source port number of client network connection (TGS renewal request connection).
+
+ - 0 for local (localhost) requests.
+
+**Additional information:**
+
+- **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
+
+ Example:
+
+ - Ticket Options: 0x40810010
+
+ - Binary view: 01000000100000010000000000010000
+
+ - Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
+
+> **Note** In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor the DISABLE-TRANSITED-CHECK option. Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
+| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
+| 28 | Enc-tkt-in-skey | No information. |
+| 29 | Unused | - |
+| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
+| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. |
+
+- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used in renewed TGS.
+
+| Type | Type Name | Description |
+|--------------------------|-------------------------|-----------------------------------------------------------------------------------|
+| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. |
+| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. |
+| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. |
+| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. |
+| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
+| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
+| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. |
+
+
+## Security Monitoring Recommendations
+
+For 4770(S): A Kerberos service ticket was renewed.
+
+- This event typically has informational only purpose.
+
diff --git a/windows/keep-secure/event-4771.md b/windows/keep-secure/event-4771.md
new file mode 100644
index 0000000000..ae81985175
--- /dev/null
+++ b/windows/keep-secure/event-4771.md
@@ -0,0 +1,226 @@
+---
+title: 4771(F) Kerberos pre-authentication failed. (Windows 10)
+description: Describes security event 4771(F) Kerberos pre-authentication failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4771(F): Kerberos pre-authentication failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+***Event Description:***
+
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+
+This event generates only on domain controllers.
+
+This event is not generated if “Do not require Kerberos preauthentication” option is set for the account.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4771
+ 0
+ 0
+ 14339
+ 0
+ 0x8010000000000000
+
+ 166708
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ dadmin
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ krbtgt/CONTOSO.LOCAL
+ 0x40810010
+ 0x10
+ 15
+ ::ffff:10.0.0.12
+ 49254
+
+
+
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Account Information:**
+
+- **Security ID** \[Type = SID\]**:** SID of account object for which (TGT) ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+ For example: CONTOSO\\dadmin or CONTOSO\\WIN81$.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name:** \[Type = UnicodeString\]**:** the name of account, for which (TGT) ticket was requested. Computer account name ends with **$** character.
+
+ - User account example: dadmin
+
+ - Computer account example: WIN81$
+
+**Service Information:**
+
+- **Service Name** \[Type = UnicodeString\]: the name of the service in the Kerberos Realm to which TGT request was sent. Typically has one of the following formats:
+
+ - krbtgt/DOMAIN\_NETBIOS\_NAME. Example: krbtgt/CONTOSO
+
+ - krbtgt/DOMAIN\_FULL\_NAME. Example: krbtgt/CONTOSO.LOCAL
+
+**Network Information:**
+
+- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Formats vary, and include the following:
+
+ - **IPv6** or **IPv4** address.
+
+ - **::ffff:IPv4\_address**.
+
+ - **::1** - localhost.
+
+- **Client Port** \[Type = UnicodeString\]: source port number of client network connection (TGT request connection).
+
+ - 0 for local (localhost) requests.
+
+**Additional Information:**
+
+- **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
+
+ Example:
+
+ - Ticket Options: 0x40810010
+
+ - Binary view: 01000000100000010000000000010000
+
+ - Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
+
+> **Note** In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor the DISABLE-TRANSITED-CHECK option. Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
+| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
+| 28 | Enc-tkt-in-skey | No information. |
+| 29 | Unused | - |
+| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
+| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. |
+
+> Table 6. Kerberos ticket flags.
+
+- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event:
+
+| Code | Code Name | Description | Possible causes |
+|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller. It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
+| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. |
+| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
+
+- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx) type which was used in TGT request.
+
+
+## Table 5. Kerberos Pre-Authentication types.
+
+| Type | Type Name | Description |
+|------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | - | Logon without Pre-Authentication. |
+| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. |
+| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value. Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
+| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
+| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. |
+| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value. Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
+| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. |
+| 138 | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients. |
+| - | | This type shows in Audit Failure events. |
+
+**Certificate Information:**
+
+- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
+
+- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
+
+- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
+
+## Security Monitoring Recommendations
+
+For 4771(F): Kerberos pre-authentication failed.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the whitelist. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
+- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
+
+- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the whitelist, generate the alert.
+
+- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
+
+- All [4771](event-4771.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.
+
+- Also monitor the fields shown in the following table, to discover the issues listed:
+
+| **Field** | **Issue to discover** |
+|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
+| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
+| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
+| **Result Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
+| **Result Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
+
diff --git a/windows/keep-secure/event-4772.md b/windows/keep-secure/event-4772.md
new file mode 100644
index 0000000000..cc22ebd0d0
--- /dev/null
+++ b/windows/keep-secure/event-4772.md
@@ -0,0 +1,21 @@
+---
+title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10)
+description: Describes security event 4772(F) A Kerberos authentication ticket request failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4772(F): A Kerberos authentication ticket request failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead.
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
diff --git a/windows/keep-secure/event-4773.md b/windows/keep-secure/event-4773.md
new file mode 100644
index 0000000000..d1edccab49
--- /dev/null
+++ b/windows/keep-secure/event-4773.md
@@ -0,0 +1,21 @@
+---
+title: 4773(F) A Kerberos service ticket request failed. (Windows 10)
+description: Describes security event 4773(F) A Kerberos service ticket request failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4773(F): A Kerberos service ticket request failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead.
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md
new file mode 100644
index 0000000000..2b626f9576
--- /dev/null
+++ b/windows/keep-secure/event-4774.md
@@ -0,0 +1,41 @@
+---
+title: 4774(S) An account was mapped for logon. (Windows 10)
+description: Describes security event 4774(S) An account was mapped for logon.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4774(S): An account was mapped for logon.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+It appears that this event never occurs.
+
+***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
+
+***Event Schema:***
+
+*An account was mapped for logon.*
+
+*Authentication Package:%1*
+
+*Account UPN:%2*
+
+*Mapped Name:%3*
+
+***Required Server Roles:*** no information.
+
+***Minimum OS Version:*** no information.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-4775.md b/windows/keep-secure/event-4775.md
new file mode 100644
index 0000000000..f02523531c
--- /dev/null
+++ b/windows/keep-secure/event-4775.md
@@ -0,0 +1,39 @@
+---
+title: 4775(F) An account could not be mapped for logon. (Windows 10)
+description: Describes security event 4775(F) An account could not be mapped for logon.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4775(F): An account could not be mapped for logon.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+It appears that this event never occurs.
+
+***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
+
+***Event Schema:***
+
+*An account could not be mapped for logon.*
+
+*Authentication Package:%1*
+
+*Account Name:%2*
+
+***Required Server Roles:*** no information.
+
+***Minimum OS Version:*** no information.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-4776.md b/windows/keep-secure/event-4776.md
new file mode 100644
index 0000000000..c244914722
--- /dev/null
+++ b/windows/keep-secure/event-4776.md
@@ -0,0 +1,148 @@
+---
+title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10)
+description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4776(S, F): The computer attempted to validate the credentials for an account.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
+
+***Event Description:***
+
+This event generates every time that a credential validation occurs using NTLM authentication.
+
+This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
+
+It shows successful and unsuccessful credential validation attempts.
+
+It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) is not presented in this event.
+
+If a credential validation attempt fails, you will see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
+
+The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
+
+For monitoring local account logon attempts, it is better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
+
+This event also generates when a workstation unlock event occurs.
+
+This event does *not* generate when a domain account logs on locally to a domain controller.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4776
+ 0
+ 0
+ 14336
+ 0
+ 0x8010000000000000
+
+ 165437
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0
+ dadmin
+ WIN81
+ 0xc0000234
+
+
+
+```
+
+***Required Server Roles:*** no specific requirements.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx) which was used for credential validation. It is always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event.
+
+> **Note** **Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721592(v=vs.85).aspx#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
+
+- **Logon Account** \[Type = UnicodeString\]: the name of the account that had its credentials validated by the **Authentication Package**. Can be user name, computer account name or [well-known security principal](https://support.microsoft.com/en-us/kb/243330) account name. Examples:
+
+ - User example: dadmin
+
+ - Computer account example: WIN81$
+
+ - Local System account example: Local
+
+ - Local Service account example: Local Service
+
+- **Source Workstation** \[Type = UnicodeString\]: the name of the computer from which the logon attempt originated.
+
+- **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has “**0x0**” value. The table below contains most common error codes for this event:
+
+| Error Code | Description |
+|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0xC0000064 | The username you typed does not exist. Bad username. |
+| 0xC000006A | Account logon with misspelled or bad password. |
+| 0xC000006D | - Generic logon failure. Some of the potential causes for this: An invalid username and/or password was used [LAN Manager Authentication Level](https://technet.microsoft.com/en-us/library/jj852207.aspx) mismatch between the source and target computers. |
+| 0xC000006F | Account logon outside authorized hours. |
+| 0xC0000070 | Account logon from unauthorized workstation. |
+| 0xC0000071 | Account logon with expired password. |
+| 0xC0000072 | Account logon to account disabled by administrator. |
+| 0xC0000193 | Account logon with expired account. |
+| 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. |
+| 0xC0000234 | Account logon with account locked. |
+| 0xc0000371 | The local account store does not contain secret material for the specified account. |
+| 0x0 | No errors. |
+
+> Table 1. Winlogon Error Codes.
+
+## Security Monitoring Recommendations
+
+For 4776(S, F): The computer attempted to validate the credentials for an account.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used. To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the whitelist. |
+| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. |
+
+- If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
+
+- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
+
+- If a local account should be used only locally (for example, network logon or terminal services logon is not allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values.
+
+- Consider tracking the following errors for the reasons listed:
+
+| **Error to track** | **What the error might indicate** |
+|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| **User logon with misspelled or bad user account** | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. |
+| **User logon with misspelled or bad password** | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. |
+| **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. |
+| **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. |
+| **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. |
+| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. |
+| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. |
+
diff --git a/windows/keep-secure/event-4777.md b/windows/keep-secure/event-4777.md
new file mode 100644
index 0000000000..7a985dae86
--- /dev/null
+++ b/windows/keep-secure/event-4777.md
@@ -0,0 +1,21 @@
+---
+title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10)
+description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4777(F): The domain controller failed to validate the credentials for an account.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead.
+
+***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
+
diff --git a/windows/keep-secure/event-4778.md b/windows/keep-secure/event-4778.md
new file mode 100644
index 0000000000..ff3e197630
--- /dev/null
+++ b/windows/keep-secure/event-4778.md
@@ -0,0 +1,137 @@
+---
+title: 4778(S) A session was reconnected to a Window Station. (Windows 10)
+description: Describes security event 4778(S) A session was reconnected to a Window Station.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4778(S): A session was reconnected to a Window Station.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+
+This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4778
+ 0
+ 0
+ 12551
+ 0
+ 0x8020000000000000
+
+ 237651
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ ladmin
+ CONTOSO
+ 0x1e01f6
+ RDP-Tcp\#6
+ WIN81
+ 10.0.0.100
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which the session was reconnected.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Session:**
+
+- **Session Name** \[Type = UnicodeString\]**:** the name of the session to which the user was reconnected. Examples:
+
+ - **RDP-Rcp\#N**, where N is a number of session – typical RDP session name.
+
+ - **Console** – console session, typical for Fast User Switching.
+
+ - **31C5CE94259D4006A9E4\#3** – example of “Hyper-V Enhanced Session” session name.
+
+ You can see the list of current session’s using “**query session”** command in command prompt. Example of output (see **SESSIONNAME** column):
+
+
+
+**Additional Information:**
+
+- **Client Name** \[Type = UnicodeString\]: computer name from which the user was reconnected. Has “**Unknown”** value for console session.
+
+- **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the user was reconnected.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+ - Has “**LOCAL**” value for console session.
+
+## Security Monitoring Recommendations
+
+For 4778(S): A session was reconnected to a Window Station.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
+- If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with **Session Name** = Console.
+
+- If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring).
+
+- If a specific computer or device (**Client Name** or **Client Address**) should never connect to this computer (**Computer**), monitor for any event with that **Client Name** or **Client Address**.
+
+- Check that **Additional Information\\Client Address** is from internal IP addresses list.
+
diff --git a/windows/keep-secure/event-4779.md b/windows/keep-secure/event-4779.md
new file mode 100644
index 0000000000..2dfd8ef4ab
--- /dev/null
+++ b/windows/keep-secure/event-4779.md
@@ -0,0 +1,139 @@
+---
+title: 4779(S) A session was disconnected from a Window Station. (Windows 10)
+description: Describes security event 4779(S) A session was disconnected from a Window Station.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4779(S): A session was disconnected from a Window Station.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+
+This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4779
+ 0
+ 0
+ 12551
+ 0
+ 0x8020000000000000
+
+ 237646
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ ladmin
+ CONTOSO
+ 0x1e01f6
+ RDP-Tcp\#3
+ WIN81
+ 10.0.0.100
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which the session was disconnected.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Session:**
+
+- **Session Name** \[Type = UnicodeString\]**:** the name of disconnected session. Examples:
+
+ - **RDP-Rcp\#N**, where N is a number of session – typical RDP session name.
+
+ - **Console** – console session, typical for Fast User Switching.
+
+ - **31C5CE94259D4006A9E4\#3** – example of “Hyper-V Enhanced Session” session name.
+
+ You can see the list of current session’s using “**query session”** command in command prompt. Example of output (see **SESSIONNAME** column):
+
+
+
+**Additional Information:**
+
+- **Client Name** \[Type = UnicodeString\]: machine name from which the session was disconnected. Has “**Unknown”** value for console session.
+
+
+
+- **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the session was disconnected.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+
+
+ - Has “**LOCAL**” value for console session.
+
+## Security Monitoring Recommendations
+
+For 4779(S): A session was disconnected from a Window Station.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+
+- If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with **Session Name** = Console.
+
+- If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring).
+
+- To ensure that connections are made only from your internal IP address list, monitor the **Additional Information\\Client Address** in this event.
+
diff --git a/windows/keep-secure/event-4780.md b/windows/keep-secure/event-4780.md
new file mode 100644
index 0000000000..f90b4a900a
--- /dev/null
+++ b/windows/keep-secure/event-4780.md
@@ -0,0 +1,59 @@
+---
+title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10)
+description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4780(S): The ACL was set on accounts which are members of administrators groups.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
+
+For some reason, this event doesn’t generate on some OS versions.
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Schema:***
+
+*The ACL was set on accounts which are members of administrators groups.*
+
+*Subject:*
+
+> *Security ID:%4*
+>
+> *Account Name:%5*
+>
+> *Account Domain:%6*
+>
+> *Logon ID:%7*
+
+*Target Account:*
+
+> *Security ID:%3*
+>
+> *Account Name:%1*
+>
+> *Account Domain:%2*
+
+*Additional Information:*
+
+> *Privileges:%8*
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Monitor for this event and investigate why the object’s ACL was changed.
+
diff --git a/windows/keep-secure/event-4781.md b/windows/keep-secure/event-4781.md
new file mode 100644
index 0000000000..34064992de
--- /dev/null
+++ b/windows/keep-secure/event-4781.md
@@ -0,0 +1,127 @@
+---
+title: 4781(S) The name of an account was changed. (Windows 10)
+description: Describes security event 4781(S) The name of an account was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4781(S): The name of an account was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user or computer account name (**sAMAccountName** attribute) is changed.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4781
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175754
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Admin
+ MainAdmin
+ CONTOSO
+ S-1-5-21-3457937927-2839227994-823803824-6117
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d5f
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that performed the “change account name” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the “change account name” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of account on which the name was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Old Account Name** \[Type = UnicodeString\]**:** old name of target account.
+
+- **New Account Name** \[Type = UnicodeString\]**:** new name of target account.
+
+**Additional Information:**
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
+
+## Security Monitoring Recommendations
+
+For 4781(S): The name of an account was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have high-value user or computer accounts (or local user accounts) for which you need to monitor each change to the accounts, monitor this event with the **“Target Account\\Security ID”** that corresponds to the high-value accounts.
+
diff --git a/windows/keep-secure/event-4782.md b/windows/keep-secure/event-4782.md
new file mode 100644
index 0000000000..6d0804b3b3
--- /dev/null
+++ b/windows/keep-secure/event-4782.md
@@ -0,0 +1,112 @@
+---
+title: 4782(S) The password hash an account was accessed. (Windows 10)
+description: Describes security event 4782(S) The password hash an account was accessed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4782(S): The password hash an account was accessed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+***Event Description:***
+
+This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx).
+
+Typically **“Subject\\Security ID”** is the SYSTEM account.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4782
+ 0
+ 0
+ 13829
+ 0
+ 0x8020000000000000
+
+ 174829
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Andrei
+ CONTOSO
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested hash migration operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested hash migration operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For ANONYMOUS LOGON you will see **NT AUTHORITY** value for this field.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Target Account:**
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which the password hash was migrated. For example: ServiceDesk
+
+ - User account example: Andrei
+
+ - Computer account example: DC01$
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain name of the account for which the password hash was migrated. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: FABRIKAM
+
+ - Lowercase full domain name: fabrikam.local
+
+ - Uppercase full domain name: FABRIKAM.LOCAL
+
+## Security Monitoring Recommendations
+
+For 4782(S): The password hash an account was accessed.
+
+- Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4793.md b/windows/keep-secure/event-4793.md
new file mode 100644
index 0000000000..079c4317df
--- /dev/null
+++ b/windows/keep-secure/event-4793.md
@@ -0,0 +1,115 @@
+---
+title: 4793(S) The Password Policy Checking API was called. (Windows 10)
+description: Describes security event 4793(S) The Password Policy Checking API was called.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4793(S): The Password Policy Checking API was called.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+***Event Description:***
+
+This event generates each time the [Password Policy Checking API](https://msdn.microsoft.com/en-us/library/aa370661(VS.85).aspx) is called.
+
+The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
+
+This event, for example, generates during Directory Services Restore Mode ([DSRM](http://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password.
+
+This event generates on the computer where Password Policy Checking API was called.
+
+Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many 4793 events on a SQL Server.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4793
+ 0
+ 0
+ 13829
+ 0
+ 0x8020000000000000
+
+ 172342
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x36f67
+ DC01
+ -
+ 0x0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested Password Policy Checking API operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested Password Policy Checking API operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Additional Information:**
+
+- **Caller Workstation** \[Type = UnicodeString\]**:** name of the computer from which the Password Policy Checking API was called. Typically, this is the same computer where this event was generated, for example, DC01. Computer name here does not contain **$** symbol at the end. It also can be an IP address or the DNS name of the computer.
+
+- **Provided Account Name (unauthenticated)** \[Type = UnicodeString\]**:** the name of account, which password was provided/requested for validation. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Status Code** \[Type = HexInt32\]**:** typically has “**0x0**” value. Status code is “**0x0**”, no matter meets password domain Password Policy or not.
+
+## Security Monitoring Recommendations
+
+For 4793(S): The Password Policy Checking API was called.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when Password Policy Checking APIs were invoked, and who invoked them. The **Provided Account Name** does not always have a value—sometimes it’s not really possible to determine for which account the password policy check was performed.
+
diff --git a/windows/keep-secure/event-4794.md b/windows/keep-secure/event-4794.md
new file mode 100644
index 0000000000..c3ce16e165
--- /dev/null
+++ b/windows/keep-secure/event-4794.md
@@ -0,0 +1,104 @@
+---
+title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10)
+description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4794
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 172348
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x36f67
+ DC01
+ 0x0
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to set Directory Services Restore Mode administrator password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to set Directory Services Restore Mode administrator password.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Additional Information:**
+
+- **Caller Workstation** \[Type = UnicodeString\]**:** the name of computer account from which Directory Services Restore Mode (DSRM) administrator password change request was received. For example: “**DC01**”. If the change request was sent locally (from the same server) this field will have the same name as the computer account.
+
+- **Status Code** \[Type = HexInt32\]**:** for Success events it has “**0x0**” value.
+
+## Security Monitoring Recommendations
+
+For 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
+
+- Always monitor 4794 events and trigger alerts when they occur.
+
diff --git a/windows/keep-secure/event-4798.md b/windows/keep-secure/event-4798.md
new file mode 100644
index 0000000000..3423f5319b
--- /dev/null
+++ b/windows/keep-secure/event-4798.md
@@ -0,0 +1,135 @@
+---
+title: 4798(S) A user's local group membership was enumerated. (Windows 10)
+description: Describes security event 4798(S) A user's local group membership was enumerated.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4798(S): A user's local group membership was enumerated.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates when a process enumerates a user's security-enabled local groups on a computer or device.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4798
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 691
+
+
+ Security
+ WIN10-1.contoso.local
+
+
+-
+ Administrator
+ WIN10-1
+ S-1-5-21-1694160624-234216347-2203645164-500
+ S-1-5-21-1377283216-344919071-3415362939-1104
+ dadmin
+ CONTOSO
+ 0x72d9d
+ 0xc80
+ C:\\Windows\\System32\\mmc.exe
+
+
+
+```
+
+***Required Server Roles:*** none.
+
+***Minimum OS Version:*** Windows Server 2016, Windows 10.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “enumerate user's security-enabled local groups” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enumerate user's security-enabled local groups” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**User:**
+
+- **Security ID** \[Type = SID\]: SID of the account whose groups were enumerated. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]: the name of the account whose groups were enumerated.
+
+- **Account Domain** \[Type = UnicodeString\]: group’s domain or computer name. Formats vary, and include the following:
+
+ - For a local group, this field will contain the name of the computer to which this group belongs, for example: “Win81”.
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4798(S): A user's local group membership was enumerated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have high value domain or local accounts for which you need to monitor each enumeration of their group membership, or any access attempt, monitor events with the **“Subject\\Security ID”** that corresponds to the high value account or accounts.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4799.md b/windows/keep-secure/event-4799.md
new file mode 100644
index 0000000000..2084212f59
--- /dev/null
+++ b/windows/keep-secure/event-4799.md
@@ -0,0 +1,135 @@
+---
+title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10)
+description: Describes security event 4799(S) A security-enabled local group membership was enumerated.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4799(S): A security-enabled local group membership was enumerated.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates when a process enumerates the members of a security-enabled local group on the computer or device.
+
+This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4799
+ 0
+ 0
+ 13826
+ 0
+ 0x8020000000000000
+
+ 685
+
+
+ Security
+ WIN10-1.contoso.local
+
+
+-
+ Administrators
+ Builtin
+ S-1-5-32-544
+ S-1-5-21-1377283216-344919071-3415362939-1104
+ dadmin
+ CONTOSO
+ 0x72d9d
+ 0xc80
+ C:\\Windows\\System32\\mmc.exe
+
+
+
+```
+
+***Required Server Roles:*** none.
+
+***Minimum OS Version:*** Windows Server 2016, Windows 10.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “enumerate security-enabled local group members” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enumerate security-enabled local group members” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Group:**
+
+- **Security ID \[Type = SID\]:** SID of the group which members were enumerated. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Group Name \[Type = UnicodeString\]:** the name of the group which members were enumerated.
+
+- **Group Domain \[Type = UnicodeString\]: group’s domain or computer name. Formats vary, and include the following:**
+
+ - For Builtin groups this field has “Builtin” value.
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For a local group, this field will contain the name of the computer to which this group belongs, for example: “Win81”.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4799(S): A security-enabled local group membership was enumerated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a list of critical local security groups in the organization, and need to specifically monitor these groups for any access (in this case, enumeration of group membership), monitor events with the “**Group\\Group Name”** values that correspond to the critical local security groups. Examples of critical local groups are built-in local administrators, built-in backup operators, and so on.
+
+- If you need to monitor each time the membership is enumerated for a local or domain security group, to see who enumerated the membership and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
diff --git a/windows/keep-secure/event-4800.md b/windows/keep-secure/event-4800.md
new file mode 100644
index 0000000000..3eb3482649
--- /dev/null
+++ b/windows/keep-secure/event-4800.md
@@ -0,0 +1,101 @@
+---
+title: 4800(S) The workstation was locked. (Windows 10)
+description: Describes security event 4800(S) The workstation was locked.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4800(S): The workstation was locked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a workstation was locked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4800
+ 0
+ 0
+ 12551
+ 0
+ 0x8020000000000000
+
+ 237655
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x759a9
+ 3
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “lock workstation” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “lock workstation” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+- **Session ID** \[Type = UInt32\]: unique ID of locked session. You can see the list of current session IDs using “**query session”** command in command prompt. Example of output (see **ID** column):
+
+
+
+## Security Monitoring Recommendations
+
+For 4800(S): The workstation was locked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a machine was locked, and which account was used to lock it.
+
diff --git a/windows/keep-secure/event-4801.md b/windows/keep-secure/event-4801.md
new file mode 100644
index 0000000000..b0b69a6e24
--- /dev/null
+++ b/windows/keep-secure/event-4801.md
@@ -0,0 +1,101 @@
+---
+title: 4801(S) The workstation was unlocked. (Windows 10)
+description: Describes security event 4801(S) The workstation was unlocked.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4801(S): The workstation was unlocked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when workstation was unlocked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4801
+ 0
+ 0
+ 12551
+ 0
+ 0x8020000000000000
+
+ 237657
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x759a9
+ 3
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “unlock workstation” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “unlock workstation” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+- **Session ID** \[Type = UInt32\]: unique ID of unlocked session. You can see the list of current session IDs using “**query session”** command in command prompt. Example of output (see ID column):
+
+
+
+## Security Monitoring Recommendations
+
+For 4801(S): The workstation was unlocked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a machine was unlocked, and which account was used to unlock it.
+
diff --git a/windows/keep-secure/event-4802.md b/windows/keep-secure/event-4802.md
new file mode 100644
index 0000000000..691f558b08
--- /dev/null
+++ b/windows/keep-secure/event-4802.md
@@ -0,0 +1,101 @@
+---
+title: 4802(S) The screen saver was invoked. (Windows 10)
+description: Describes security event 4802(S) The screen saver was invoked.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4802(S): The screen saver was invoked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when screen saver was invoked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4802
+ 0
+ 0
+ 12551
+ 0
+ 0x8020000000000000
+
+ 237662
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x759a9
+ 3
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “invoke screensaver” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “invoke screensaver” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+- **Session ID** \[Type = UInt32\]: unique ID of a session for which screen saver was invoked. You can see the list of current session IDs using “**query session”** command in command prompt. Example of output (see ID column):
+
+
+
+## Security Monitoring Recommendations
+
+For 4802(S): The screen saver was invoked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a screen saver was invoked on a machine, and which account invoked it.
+
diff --git a/windows/keep-secure/event-4803.md b/windows/keep-secure/event-4803.md
new file mode 100644
index 0000000000..8cfb6407c8
--- /dev/null
+++ b/windows/keep-secure/event-4803.md
@@ -0,0 +1,101 @@
+---
+title: 4803(S) The screen saver was dismissed. (Windows 10)
+description: Describes security event 4803(S) The screen saver was dismissed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4803(S): The screen saver was dismissed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when screen saver was dismissed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4803
+ 0
+ 0
+ 12551
+ 0
+ 0x8020000000000000
+
+ 237663
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x759a9
+ 3
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “dismiss screensaver” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “dismiss screensaver” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+- **Session ID** \[Type = UInt32\]: unique ID of a session for which screen saver was dismissed. You can see the list of current session IDs using “**query session”** command in command prompt. Example of output (see ID column):
+
+
+
+## Security Monitoring Recommendations
+
+For 4803(S): The screen saver was dismissed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a screen saver was dismissed on a machine, and which account dismissed it.
+
diff --git a/windows/keep-secure/event-4816.md b/windows/keep-secure/event-4816.md
new file mode 100644
index 0000000000..846e37ddf7
--- /dev/null
+++ b/windows/keep-secure/event-4816.md
@@ -0,0 +1,43 @@
+---
+title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10)
+description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This message generates if RPC detected an integrity violation while decrypting an incoming message.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*RPC detected an integrity violation while decrypting an incoming message.*
+
+*Peer Name: %1*
+
+*Protocol Sequence: %2*
+
+*Security Error: %3*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
diff --git a/windows/keep-secure/event-4817.md b/windows/keep-secure/event-4817.md
new file mode 100644
index 0000000000..c1bc5e42d5
--- /dev/null
+++ b/windows/keep-secure/event-4817.md
@@ -0,0 +1,246 @@
+---
+title: 4817(S) Auditing settings on object were changed. (Windows 10)
+description: Describes security event 4817(S) Auditing settings on object were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4817(S): Auditing settings on object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the [Global Object Access Auditing](https://technet.microsoft.com/en-us/library/dd772630(v=ws.10).aspx) policy is changed on a computer.
+
+Separate events will be generated for “Registry” and “File system” policy changes.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4817
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1192270
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ LSA
+ Global SACL
+ Key
+
+ S:(AU;SA;RC;;;S-1-5-21-3457937927-2839227994-823803824-1104)
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to Global Object Access Auditing policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to Global Object Access Auditing policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object:**
+
+- **Object Server** \[Type = UnicodeString\]: has “**LSA**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object to which this event applies. Always “**Global SACL**” for this event.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|-------------------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Central Access Policies |
+| Key | WaitablePort | Callback | Global SACL |
+| Job | Port | FilterConnectionPort | |
+| ALPC Port | Semaphore | Adapter | |
+
+- **Object Name: **
+
+ - Key – if “Registry” Global Object Access Auditing policy was changed.
+
+ - File – if “File system” Global Object Access Auditing policy was changed.
+
+**Auditing Settings:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy. Empty if Global Object Access Auditing policy SACL was not set.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: , .
+
+## Security Monitoring Recommendations
+
+For 4817(S): Auditing settings on object were changed.
+
+- If you use Global Object Access Auditing policies, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
+
+- If you don’t use Global Object Access Auditing policies, then this event should be always monitored because it indicates use of Global Object Access Auditing policies outside of your standard procedures.
+
diff --git a/windows/keep-secure/event-4818.md b/windows/keep-secure/event-4818.md
new file mode 100644
index 0000000000..f219c35d82
--- /dev/null
+++ b/windows/keep-secure/event-4818.md
@@ -0,0 +1,211 @@
+---
+title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10)
+description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Central Policy Staging](audit-central-access-policy-staging.md)
+
+***Event Description:***
+
+This event generates when Dynamic Access Control Proposed [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) is enabled and access was not granted by Proposed Central Access Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4818
+ 0
+ 0
+ 12813
+ 0
+ 0x8020000000000000
+
+ 1049324
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ Auditor
+ CONTOSO
+ 0x1e5f21
+ Security
+ File
+ C:\\Finance Documents\\desktop.ini
+ 0xc64
+ 0x4
+
+ %%1538: %%1801 D:(A;ID;0x1200a9;;;BU) %%1541: %%1801 D:(A;ID;0x1200a9;;;BU) %%4416: %%1801 D:(A;ID;0x1200a9;;;BU) %%4419: %%1801 D:(A;ID;0x1200a9;;;BU) %%4423: %%1801 D:(A;ID;0x1200a9;;;BU)
+ %%1538: %%1814Finance Documents Rule %%1541: %%1814Finance Documents Rule %%4416: %%1814Finance Documents Rule %%4419: %%1814Finance Documents Rule %%4423: %%1814Finance Documents Rule
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012, Windows 8.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an access request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an access request.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always “**File**” for this event.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Object Name** \[Type = UnicodeString\]: full path and name of the file or folder for which access was requested.
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Current Central Access Policy results:**
+
+- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:
+REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS.
+
+The possible REQUESTED\_ACCESS values are listed in the table below.
+
+## Table of file access codes
+
+| Access | Hexadecimal Value | Description |
+|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data. **ListDirectory -** For a directory, the right to list the contents of the directory. |
+| WriteData (or AddFile) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**). **AddFile -** For a directory, the right to create a file in the directory. |
+| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). **AddSubdirectory -** For a directory, the right to create a subdirectory. **CreatePipeInstance -** For a named pipe, the right to create a pipe. |
+| ReadEA | 0x8 | The right to read extended file attributes. |
+| WriteEA | 0x10 | The right to write extended file attributes. |
+| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter. **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
+| ReadAttributes | 0x80 | The right to read file attributes. |
+| WriteAttributes | 0x100 | The right to write file attributes. |
+| DELETE | 0x10000 | The right to delete the object. |
+| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
+| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
+| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor |
+| SYNCHRONIZE | 0x100000 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
+| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
+
+- RESULT:
+
+ - Granted by
+
+ - Denied by
+
+ - Granted by ACE on parent folder
+
+ - Not granted due to missing – after this sentence you will typically see missing user rights, for example SeSecurityPrivilege.
+
+ - Unknown or unchecked
+
+- ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS:
+
+ - Ownership – if access was granted because of ownership of an object.
+
+ - User Right name, for example SeSecurityPrivilege.
+
+ - The [Security Descriptor Definition Language](event-5145.md#sddl-values-for-access-control-entry) (SDDL) value for the Access Control Entry (ACE) that granted or denied access.
+
+**Proposed Central Access Policy results that differ from the current Central Access Policy results:**
+
+- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:
+
+REQUESTED\_ACCESS: NOT Granted by RULE\_NAME Rule.
+
+The possible REQUESTED\_ACCESS values are listed in the table below:
+
+| Access | Hexadecimal Value | Description |
+|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data. **ListDirectory -** For a directory, the right to list the contents of the directory. |
+| WriteData (or AddFile) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**). **AddFile -** For a directory, the right to create a file in the directory. |
+| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). **AddSubdirectory -** For a directory, the right to create a subdirectory. **CreatePipeInstance -** For a named pipe, the right to create a pipe. |
+| ReadEA | 0x8 | The right to read extended file attributes. |
+| WriteEA | 0x10 | The right to write extended file attributes. |
+| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter. **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
+| ReadAttributes | 0x80 | The right to read file attributes. |
+| WriteAttributes | 0x100 | The right to write file attributes. |
+| DELETE | 0x10000 | The right to delete the object. |
+| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
+| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
+| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor |
+| SYNCHRONIZE | 0x100000 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
+| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
+
+- RULE\_NAME: the name of Central Access Rule which denied the access.
+
+## Security Monitoring Recommendations
+
+For 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
+
+- This event typically used for troubleshooting and testing of Proposed Central Access Policies for Dynamic Access Control.
+
diff --git a/windows/keep-secure/event-4819.md b/windows/keep-secure/event-4819.md
new file mode 100644
index 0000000000..b9311464ea
--- /dev/null
+++ b/windows/keep-secure/event-4819.md
@@ -0,0 +1,135 @@
+---
+title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10)
+description: Describes security event 4819(S) Central Access Policies on the machine have been changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4819(S): Central Access Policies on the machine have been changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates when [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on the machine have been changed.
+
+For example, it generates when a new [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) was applied to the machine via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4819
+ 0
+ 0
+ 13573
+ 0
+ 0x8020000000000000
+
+ 1187659
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ LSA
+ Central Access Policies
+ Main POlicy
+
+
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012, Windows 8.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policies on the machine. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policies on the machine.
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**LSA**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object to which this event applies. Always “**Central Access Policies**” for this event.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|-------------------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Central Access Policies |
+| Key | WaitablePort | Callback | |
+| Job | Port | FilterConnectionPort | |
+| ALPC Port | Semaphore | Adapter | |
+
+**CAPs Added** \[Type = UnicodeString\]: the list of added Central Access Policies. Empty if no Central Access Policies were added.
+
+**CAPs Deleted** \[Type = UnicodeString\]: the list of deleted Central Access Policies. Empty if no Central Access Policies were deleted.
+
+**CAPs Modified** \[Type = UnicodeString\]: the list of modified Central Access Policies. Empty if no Central Access Policies were modified.
+
+**CAPs As-Is** \[Type = UnicodeString\]: the list of non-modified Central Access Policies.
+
+## Security Monitoring Recommendations
+
+For 4819(S): Central Access Policies on the machine have been changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- This event can help you to track modifications, additions and deletions of Central Access Policies if it is required by your security monitoring policy.
+
+-
+
diff --git a/windows/keep-secure/event-4826.md b/windows/keep-secure/event-4826.md
new file mode 100644
index 0000000000..fd9ab17f16
--- /dev/null
+++ b/windows/keep-secure/event-4826.md
@@ -0,0 +1,134 @@
+---
+title: 4826(S) Boot Configuration Data loaded. (Windows 10)
+description: Describes security event 4826(S) Boot Configuration Data loaded.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4826(S): Boot Configuration Data loaded.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time system starts and load current [Boot Configuration Data](https://msdn.microsoft.com/en-us/library/windows/hardware/dn653287(v=vs.85).aspx) (BCD) settings.
+
+This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4826
+ 0
+ 0
+ 13573
+ 0
+ 0x8020000000000000
+
+ 751
+
+
+ Security
+ WIN10-1
+
+
+-
+ S-1-5-18
+ -
+ -
+ 0x3e7
+ -
+ %%1843
+ %%1846
+ %%1843
+ %%1843
+ %%1848
+ %%1843
+ %%1843
+ %%1843
+ -
+ %%1848
+ %%1843
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012, Windows 8.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that reported this event. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. Always “S-1-5-18” for this event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported this event. Always “-“ for this event.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Always “-“ for this event.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**General Settings:**
+
+- **Load Options** \[Type = UnicodeString\]**:** there is no information about this field in this document.
+
+- **Advanced Options** \[Type = UnicodeString\]**:** shows whether Windows is configured for system boot to the legacy menu (F8 menu) on the next boot (**Yes** or **No**). You can enable advanced boot using “bcdedit /set onetimeadvancedoptions yes” command.
+
+- **Configuration Access Policy** \[Type = UnicodeString\]**:** there is no information about this field in this document.
+
+- **System Event Logging** \[Type = UnicodeString\]**:** there is no information about this field in this document.
+
+- **Kernel Debugging** \[Type = UnicodeString\]**:** shows whether Windows [kernel debugging](https://msdn.microsoft.com/en-us/library/windows/hardware/ff542191(v=vs.85).aspx) is enabled or not (**Yes** or **No**). You can enable kernel debugging using “bcdedit /debug on” command.
+
+- **VSM Launch Type** \[Type = UnicodeString\]**:** there is no information about this field in this document.
+
+**Signature Settings:**
+
+- **Test Signing** \[Type = UnicodeString\]**:** shows whether Windows [test signing](https://msdn.microsoft.com/en-us/library/windows/hardware/dn653559(v=vs.85).aspx) is enabled or not (**Yes** or **No**). You can disable test signing using “bcdedit /set testsigning off” command.
+
+> **Note** This parameter controls whether Windows 8.1, Windows 8, Windows 7, Windows Server 2008, or Windows Vista will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers on 64-bit versions of Windows 8.1, Windows 8, Windows 7, Windows Server 2008, and Windows Vista will not load by default. After you run the BCDEdit command, restart the computer so that the change takes effect. For more information, see [Introduction to Test-Signing](https://msdn.microsoft.com/en-us/library/windows/hardware/ff547660(v=vs.85).aspx).
+
+- **Flight Signing** \[Type = UnicodeString\]**:** shows whether Windows flight signing (which allows flight-signed code signing certificates) is enabled or not (**Yes** or **No**). You can disable flight signing using “bcdedit /set flightsigning off” command.
+
+- **Disable Integrity Checks** \[Type = UnicodeString\]**:** shows whether Windows integrity check is disabled or not (**Yes** or **No**). You can disable integrity checks using “bcdedit /set nointegritychecks on” command.
+
+**HyperVisor Settings:**
+
+- **HyperVisor Load Options** \[Type = UnicodeString\]**:** shows hypervisor **loadoptions**. See more information here: .
+
+- **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/en-us/library/windows/hardware/ff538138(v=vs.85).aspx). Information about [Hyper-V](http://go.microsoft.com/fwlink/p/?linkid=271817) technology is available on Microsoft TechNet web site.
+
+- **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/en-us/library/windows/hardware/ff538138(v=vs.85).aspx).
+
+## Security Monitoring Recommendations
+
+For 4826(S): Boot Configuration Data loaded.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If you have a standard or baseline for Boot Configuration Data settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
diff --git a/windows/keep-secure/event-4864.md b/windows/keep-secure/event-4864.md
new file mode 100644
index 0000000000..c889c54cdf
--- /dev/null
+++ b/windows/keep-secure/event-4864.md
@@ -0,0 +1,53 @@
+---
+title: 4864(S) A namespace collision was detected. (Windows 10)
+description: Describes security event 4864(S) A namespace collision was detected.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4864(S): A namespace collision was detected.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is generated when a namespace collision was detected.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Schema:***
+
+*A namespace collision was detected.*
+
+*Target Type:%1*
+
+*Target Name:%2*
+
+*Forest Root:%3*
+
+*Top Level Name:%4*
+
+*DNS Name:%5*
+
+*NetBIOS Name:%6*
+
+*Security ID:%7*
+
+*New Flags:%8 *
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-4865.md b/windows/keep-secure/event-4865.md
new file mode 100644
index 0000000000..90f686c80b
--- /dev/null
+++ b/windows/keep-secure/event-4865.md
@@ -0,0 +1,150 @@
+---
+title: 4865(S) A trusted forest information entry was added. (Windows 10)
+description: Describes security event 4865(S) A trusted forest information entry was added.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4865(S): A trusted forest information entry was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when new trusted forest information entry was added.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4865
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049810
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Fabrikam.local
+ S-1-5-21-2703072690-1374247579-2643703677
+ 0x648620
+ 2
+ 0
+ -
+ Fabrikam.local
+ FABRIKAM
+ S-1-5-21-2703072690-1374247579-2643703677
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x138eb0
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “add a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add a trusted forest information entry” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Trust Information:**
+
+- **Forest Root** \[Type = UnicodeString\]: the name of the Active Directory forest for which trusted forest information entry was added.
+
+
+
+- **Forest Root SID** \[Type = SID\]: the SID of the Active Directory forest for which trusted forest information entry was added. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+
+
+- **Operation ID** \[Type = HexInt64\]: unique hexadecimal identifier of the operation. You can correlate this event with other events ([4866](event-4866.md)(S): A trusted forest information entry was removed, [4867](event-4867.md)(S): A trusted forest information entry was modified.) using this field.
+
+
+
+- **Entry Type** \[Type = UInt32\]: the type of added entry:
+
+| Value | Type Name | Description |
+|-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx) |
+| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx). |
+| 2 | ForestTrustDomainInfo | This field specifies a record containing identification and name information |
+
+- **Flags** \[Type = UInt32\]: The following table specifies the possible flags.
+
+ Some flag values are reused for different forest record types. See the “Meaning” column for more information.
+
+| Value | Trust Type | Meaning |
+|-------|------------------------------------------------------------|------------------------------------------------------------------------------|
+| 0 | - | No flags were set. |
+| 1 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. |
+| 2 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. |
+| 4 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. |
+| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. |
+
+- **Top Level Name** \[Type = UnicodeString\]: the name of the new trusted forest information entry.
+
+- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”.
+
+## Security Monitoring Recommendations
+
+For 4865(S): A trusted forest information entry was added.
+
+- Any changes related to Active Directory forest trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4866.md b/windows/keep-secure/event-4866.md
new file mode 100644
index 0000000000..1fc701f4d1
--- /dev/null
+++ b/windows/keep-secure/event-4866.md
@@ -0,0 +1,150 @@
+---
+title: 4866(S) A trusted forest information entry was removed. (Windows 10)
+description: Describes security event 4866(S) A trusted forest information entry was removed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4866(S): A trusted forest information entry was removed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when the trusted forest information entry was removed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4865
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049810
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Fabrikam.local
+ S-1-5-21-2703072690-1374247579-2643703677
+ 0x648620
+ 2
+ 0
+ -
+ Fabrikam.local
+ FABRIKAM
+ S-1-5-21-2703072690-1374247579-2643703677
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x138eb0
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove a trusted forest information entry” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Trust Information:**
+
+- **Forest Root** \[Type = UnicodeString\]: the name of the Active Directory forest for which trusted forest information entry was removed.
+
+
+
+- **Forest Root SID** \[Type = SID\]: the SID of the Active Directory forest for which trusted forest information entry was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+
+
+- **Operation ID** \[Type = HexInt64\]: unique hexadecimal identifier of the operation. You can correlate this event with other events ([4865](event-4865.md)(S): A trusted forest information entry was added, [4867](event-4867.md)(S): A trusted forest information entry was modified.) using this field.
+
+
+
+- **Entry Type** \[Type = UInt32\]: the type of removed entry:
+
+| Value | Type Name | Description |
+|-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx) |
+| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx). |
+| 2 | ForestTrustDomainInfo | This field specifies a record containing identification and name information |
+
+- **Flags** \[Type = UInt32\]: The following table specifies the possible flags.
+
+ Some flag values are reused for different forest record types. See the “Meaning” column for more information.
+
+| Value | Trust Type | Meaning |
+|-------|------------------------------------------------------------|------------------------------------------------------------------------------|
+| 0 | - | No flags were set. |
+| 1 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. |
+| 2 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. |
+| 4 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. |
+| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. |
+
+- **Top Level Name** \[Type = UnicodeString\]: the name of the removed trusted forest information entry.
+
+- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”.
+
+## Security Monitoring Recommendations
+
+For 4866(S): A trusted forest information entry was removed.
+
+- Any changes related to Active Directory forest trusts (especially trust removal) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4867.md b/windows/keep-secure/event-4867.md
new file mode 100644
index 0000000000..57fc10f7da
--- /dev/null
+++ b/windows/keep-secure/event-4867.md
@@ -0,0 +1,152 @@
+---
+title: 4867(S) A trusted forest information entry was modified. (Windows 10)
+description: Describes security event 4867(S) A trusted forest information entry was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4867(S): A trusted forest information entry was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates the trusted forest information entry was modified.
+
+This event is generated only on domain controllers.
+
+This event contains new values only, it doesn’t contains old values and it doesn’t show you which trust attributes were modified.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4865
+ 0
+ 0
+ 13569
+ 0
+ 0x8020000000000000
+
+ 1049810
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Fabrikam.local
+ S-1-5-21-2703072690-1374247579-2643703677
+ 0x648620
+ 2
+ 0
+ -
+ Fabrikam.local
+ FABRIKAM
+ S-1-5-21-2703072690-1374247579-2643703677
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x138eb0
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify/change a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify/change a trusted forest information entry” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Trust Information:**
+
+- **Forest Root** \[Type = UnicodeString\]: the name of the Active Directory forest for which trusted forest information entry was modified.
+
+
+
+- **Forest Root SID** \[Type = SID\]: the SID of the Active Directory forest for which trusted forest information entry was modified. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+
+
+- **Operation ID** \[Type = HexInt64\]: unique hexadecimal identifier of the operation. You can correlate this event with other events ([4865](event-4865.md)(S): A trusted forest information entry was added, [4866](event-4866.md)(S): A trusted forest information entry was removed) using this field.
+
+
+
+- **Entry Type** \[Type = UInt32\]: the type of modified entry:
+
+| Value | Type Name | Description |
+|-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx) |
+| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx). |
+| 2 | ForestTrustDomainInfo | This field specifies a record containing identification and name information |
+
+- **Flags** \[Type = UInt32\]: The following table specifies the possible flags.
+
+ Some flag values are reused for different forest record types. See the “Meaning” column for more information.
+
+| Value | Trust Type | Meaning |
+|-------|------------------------------------------------------------|------------------------------------------------------------------------------|
+| 0 | - | No flags were set. |
+| 1 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. |
+| 2 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. |
+| 4 | ForestTrustTopLevelNameEx ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. |
+| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. |
+| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. |
+
+- **Top Level Name** \[Type = UnicodeString\]: the name of the modified trusted forest information entry.
+
+- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
+
+- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”.
+
+## Security Monitoring Recommendations
+
+For 4867(S): A trusted forest information entry was modified.
+
+- Any changes in Active Directory forest trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4902.md b/windows/keep-secure/event-4902.md
new file mode 100644
index 0000000000..f8979e200f
--- /dev/null
+++ b/windows/keep-secure/event-4902.md
@@ -0,0 +1,80 @@
+---
+title: 4902(S) The Per-user audit policy table was created. (Windows 10)
+description: Describes security event 4902(S) The Per-user audit policy table was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4902(S): The Per-user audit policy table was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates during system startup if Per-user audit policy is defined on the computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4902
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049490
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 1
+ 0x703e
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Number of Elements** \[Type = UInt32\]: number of users for which Per-user policies were defined (number of unique users). You can get the list of users for which Per-user policies are defined using “auditpol /list /user” command:
+
+
+
+**Policy ID** \[Type = HexInt64\]: unique per-User Audit Policy hexadecimal identifier.
+
+## Security Monitoring Recommendations
+
+For 4902(S): The Per-user audit policy table was created.
+
+- If you don’t expect to see any per-User Audit Policies enabled on specific computers (**Computer**), monitor for these events.
+
+- If you don’t use per-User Audit Policies in your network, monitor for these events.
+
+- Typically this is an informational event and has little to no security relevance.
+
diff --git a/windows/keep-secure/event-4904.md b/windows/keep-secure/event-4904.md
new file mode 100644
index 0000000000..85d903d952
--- /dev/null
+++ b/windows/keep-secure/event-4904.md
@@ -0,0 +1,132 @@
+---
+title: 4904(S) An attempt was made to register a security event source. (Windows 10)
+description: Describes security event 4904(S) An attempt was made to register a security event source.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4904(S): An attempt was made to register a security event source.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time a new [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is registered.
+
+You can typically see this event during system startup, if specific roles (Internet Information Services, for example) are installed in the system.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4904
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049538
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ FSRM Audit
+ 0x1cc4e
+ 0x688
+ C:\\Windows\\System32\\svchost.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to register a security event source. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to register a security event source.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Process:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to register the security event source. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Event Source:**
+
+- **Source Name** \[Type = UnicodeString\]: the name of registered security event source. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
+
+
+
+- **Event Source ID** \[Type = HexInt64\]: the unique hexadecimal identifier of registered security event source.
+
+## Security Monitoring Recommendations
+
+For 4904(S): An attempt was made to register a security event source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a pre-defined list of allowed security event sources for specific computers or computer types, then you can use this event and check whether “**Event Source\\Source Name**”is in your defined list.
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-4905.md b/windows/keep-secure/event-4905.md
new file mode 100644
index 0000000000..1bc58fabcc
--- /dev/null
+++ b/windows/keep-secure/event-4905.md
@@ -0,0 +1,132 @@
+---
+title: 4905(S) An attempt was made to unregister a security event source. (Windows 10)
+description: Describes security event 4905(S) An attempt was made to unregister a security event source.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4905(S): An attempt was made to unregister a security event source.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time a [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is unregistered.
+
+You typically see this event if specific roles were removed, for example, Internet Information Services.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4905
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049718
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ IIS-METABASE
+ 0x20c15f
+ 0xd90
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to unregister a security event source. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to unregister a security event source.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to unregister the security event source. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Event Source:**
+
+- **Source Name** \[Type = UnicodeString\]: the name of unregistered security event source. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
+
+
+
+- **Event Source ID** \[Type = HexInt64\]: the unique hexadecimal identifier of unregistered security event source.
+
+## Security Monitoring Recommendations
+
+For 4905(S): An attempt was made to unregister a security event source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a list of critical security event sources which should never have been unregistered, then you can use this event and check the “**Event Source\\Source Name**.”
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-4906.md b/windows/keep-secure/event-4906.md
new file mode 100644
index 0000000000..b7e82beaac
--- /dev/null
+++ b/windows/keep-secure/event-4906.md
@@ -0,0 +1,81 @@
+---
+title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10)
+description: Describes security event 4906(S) The CrashOnAuditFail value has changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4906(S): The CrashOnAuditFail value has changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time **CrashOnAuditFail** audit flag value was modified.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+More information about **CrashOnAuditFail** flag can be found [here](https://technet.microsoft.com/en-us/library/cc963220.aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4906
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049529
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 1
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**New Value of CrashOnAuditFail** \[Type = UInt32\]**:** contains new value of **CrashOnAuditFail** flag. Possible values are:
+
+- 0 - The feature is off. The system does not halt, even when it cannot record events in the Security Log.
+
+- 1 - The feature is on. The system halts when it cannot record an event in the Security Log.
+
+- 2 - The feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the Administrators group can log on.
+
+## Security Monitoring Recommendations
+
+For 4906(S): The CrashOnAuditFail value has changed.
+
+- Any changes of **CrashOnAuditFail** audit flag that are reported by this event must be monitored, and an alert should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4907.md b/windows/keep-secure/event-4907.md
new file mode 100644
index 0000000000..0867cad21e
--- /dev/null
+++ b/windows/keep-secure/event-4907.md
@@ -0,0 +1,285 @@
+---
+title: 4907(S) Auditing settings on object were changed. (Windows 10)
+description: Describes security event 4907(S) Auditing settings on object were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4907(S): Auditing settings on object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) of an object (for example, a registry key or file) was changed.
+
+This event doesn't generate for Active Directory objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4907
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049732
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x138eb0
+ Security
+ Key
+ \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\EventLog\\Internet Explorer
+ 0x2f8
+ S:AI
+ S:ARAI(AU;CISA;KA;;;S-1-5-21-3457937927-2839227994-823803824-1104)
+ 0x120c
+ C:\\Windows\\regedit.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to object’s auditing settings. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to object’s auditing settings.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | SC\_MANAGER OBJECT |
+| Key | WaitablePort | Callback | |
+| Job | Port | FilterConnectionPort | |
+| ALPC Port | Semaphore | Adapter | |
+
+- **Object Name** \[Type = UnicodeString\]: full path and name of the object for which the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was modified. Depends on **Object Type**. Here are some examples:
+
+ - The format for **Object Type** = “Key” is: \\REGISTRY\\HIVE\\PATH where:
+
+ - HIVE:
+
+ - HKEY\_LOCAL\_MACHINE = \\REGISTRY\\MACHINE
+
+ - HKEY\_CURRENT\_USER = \\REGISTRY\\USER\\\[USER\_SID\], where \[USER\_SID\] is the SID of current user.
+
+ - HKEY\_CLASSES\_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes
+
+ - HKEY\_USERS = \\REGISTRY\\USER
+
+ - HKEY\_CURRENT\_CONFIG = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current
+
+ - PATH – path to the registry key.
+
+ - The format for **Object Type** = “File” is: full path and name of the file or folder for which [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was modified.
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4656](event-4656.md): A handle to an object was requested.” Event for registry keys or with **Handle ID** field in “[4656](event-4656.md)(S, F): A handle to an object was requested.” Event for file system objects. This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Auditing Settings:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: , .
+
+## Security Monitoring Recommendations
+
+For 4907(S): Auditing settings on object were changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
+
+- If you need to monitor all SACL changes for specific files, folders, registry keys, or other object types, monitor for “**Object Name**” field value which has specific object name.
+
+
+
+- If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
+
+- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers**.**
+
diff --git a/windows/keep-secure/event-4908.md b/windows/keep-secure/event-4908.md
new file mode 100644
index 0000000000..c76f86b814
--- /dev/null
+++ b/windows/keep-secure/event-4908.md
@@ -0,0 +1,89 @@
+---
+title: 4908(S) Special Groups Logon table modified. (Windows 10)
+description: Describes security event 4908(S) Special Groups Logon table modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4908(S): Special Groups Logon table modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Special Groups logon table was modified.
+
+This event also generates during system startup.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+More information about Special Groups auditing can be found here:
+
+
+
+
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4908
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049511
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ %{S-1-5-21-3457937927-2839227994-823803824-512}
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Special Groups** \[Type = UnicodeString\]**:** contains current list of SIDs (groups or accounts) which are members of Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+“HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Audit\\SpecialGroups” registry value contains current list of SIDs which are included in Special Groups:
+
+
+
+## Security Monitoring Recommendations
+
+For 4908(S): Special Groups Logon table modified.
+
+- If you use the Special Groups feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
+
+- If you don’t use the Special Groups feature, then this event should be always monitored because it indicates use of the Special Groups feature outside of your standard procedures.
+
diff --git a/windows/keep-secure/event-4909.md b/windows/keep-secure/event-4909.md
new file mode 100644
index 0000000000..f3f6b7d90e
--- /dev/null
+++ b/windows/keep-secure/event-4909.md
@@ -0,0 +1,21 @@
+---
+title: 4909(-) The local policy settings for the TBS were changed. (Windows 10)
+description: Describes security event 4909(-) The local policy settings for the TBS were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4909(-): The local policy settings for the TBS were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
diff --git a/windows/keep-secure/event-4910.md b/windows/keep-secure/event-4910.md
new file mode 100644
index 0000000000..bf7110033f
--- /dev/null
+++ b/windows/keep-secure/event-4910.md
@@ -0,0 +1,21 @@
+---
+title: 4910(-) The group policy settings for the TBS were changed. (Windows 10)
+description: Describes security event 4910(-) The group policy settings for the TBS were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4910(-): The group policy settings for the TBS were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
diff --git a/windows/keep-secure/event-4911.md b/windows/keep-secure/event-4911.md
new file mode 100644
index 0000000000..20a174c857
--- /dev/null
+++ b/windows/keep-secure/event-4911.md
@@ -0,0 +1,282 @@
+---
+title: 4911(S) Resource attributes of the object were changed. (Windows 10)
+description: Describes security event 4911(S) Resource attributes of the object were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4911(S): Resource attributes of the object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when [resource attributes](http://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed.
+
+Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4911
+ 0
+ 0
+ 13570
+ 0
+ 0x8020000000000000
+
+ 1183714
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x37925
+ Security
+ File
+ C:\\Audit Files\\HBI Data.txt
+ 0x49c
+ S:AI
+ S:ARAI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
+ 0x67c
+ C:\\Windows\\System32\\svchost.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012, Windows 8.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that changed the resource attributes of the file system object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the resource attributes of the file system object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **“File”** for this event.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Object Name** \[Type = UnicodeString\]: full path and/or name of the object for which resource attributes were changed.
+
+
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the resource attributes of the file system object were changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Resource Attributes:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old resource attributes.
+
+ For example: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
+
+ - Impact\_MS: Resource Property ***ID***.
+
+ - 3000: Recourse Property ***Value***.
+
+
+
+> If no resource attributes were set to the object, then SDDL will not contain any attributes, for example “**S:AI**”.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: , .
+
+## Security Monitoring Recommendations
+
+For 4911(S): Resource attributes of the object were changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
+
+- If you need to monitor all changes to specific files or folders (in this case, changes to resource attributes), monitor for the “**Object Name**” that corresponds to the file or folder.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- You can track changes when, for example, a file was marked as High Impact, or was changed from High Impact to Medium Impact, or a resource was marked as a data type for a specific department and so on. This event can help track changes and resource attribute assignments, which you can see in “**Original Security Descriptor”** and “**New Security Descriptor”** fields.
+
diff --git a/windows/keep-secure/event-4912.md b/windows/keep-secure/event-4912.md
new file mode 100644
index 0000000000..bc9856672a
--- /dev/null
+++ b/windows/keep-secure/event-4912.md
@@ -0,0 +1,178 @@
+---
+title: 4912(S) Per User Audit Policy was changed. (Windows 10)
+description: Describes security event 4912(S) Per User Audit Policy was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4912(S): Per User Audit Policy was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time [Per User Audit Policy](http://windowsitpro.com/systems-management/user-auditing-28-jun-2005) was changed.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4912
+ 0
+ 0
+ 13568
+ 0
+ 0x8020000000000000
+
+ 1049452
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x11ae30
+ S-1-5-21-3457937927-2839227994-823803824-2104
+ %%8276
+ %%13312
+ {0CCE922B-69AE-11D9-BED3-505054503030}
+ %%8452
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made a change to per-user audit policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to per-user audit policy.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Policy For Account:**
+
+- **Security ID** \[Type = SID\]**:** SID of account for which the Per User Audit Policy was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+**Policy Change Details:**
+
+- **Category** \[Type = UnicodeString\]**:** the name of auditing category which subcategory state was changed. Possible values are:
+
+ - Account Logon
+
+ - Account Management
+
+ - Detailed Tracking
+
+ - DS Access
+
+ - Logon/Logoff
+
+ - Object Access
+
+ - Policy Change
+
+ - Privilege Use
+
+ - System
+
+- **Subcategory** \[Type = UnicodeString\]**:** the name of auditing subcategory which state was changed. Possible values:
+
+| Audit Credential Validation | Audit Process Termination | Audit Other Logon/Logoff Events |
+|------------------------------------------|----------------------------------------------|--------------------------------------|
+| Audit Kerberos Authentication Service | Audit RPC Events | Audit Special Logon |
+| Audit Kerberos Service Ticket Operations | Audit Detailed Directory Service Replication | Audit Application Generated |
+| Audit Other Logon/Logoff Events | Audit Directory Service Access | Audit Certification Services |
+| Audit Application Group Management | Audit Directory Service Changes | Audit Detailed File Share |
+| Audit Computer Account Management | Audit Directory Service Replication | Audit File Share |
+| Audit Distribution Group Management | Audit Account Lockout | Audit File System |
+| Audit Other Account Management Events | Audit IPsec Extended Mode | Audit Filtering Platform Connection |
+| Audit Security Group Management | Audit IPsec Main Mode | Audit Filtering Platform Packet Drop |
+| Audit User Account Management | Audit IPsec Quick Mode | Audit Handle Manipulation |
+| Audit DPAPI Activity | Audit Logoff | Audit Kernel Object |
+| Audit Process Creation | Audit Logon | Audit IPsec Driver |
+| Audit Other Object Access Events | Audit Filtering Platform Policy Change | Audit Other System Events |
+| Audit Registry | Audit MPSSVC Rule-Level Policy Change | Audit Security State Change |
+| Audit SAM | Audit Other Policy Change Events | Audit Security System Extension |
+| Audit Policy Change | Audit Non-Sensitive Privilege Use | Audit System Integrity |
+| Audit Authentication Policy Change | Audit Sensitive Privilege Use | Audit PNP Activity |
+| Audit Authorization Policy Change | Audit Other Privilege Use Events | |
+| Group Membership | Audit Network Policy Server | |
+
+- **Subcategory GUID** \[Type = GUID\]**:** the unique GUID of changed subcategory.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+To see subcategory GUID you can use the following command: “**auditpol /list /subcategory:\* /v”**:
+
+
+
+- **Changes** \[Type = UnicodeString\]**:** changes which were made for the subcategory. Possible values are:
+
+ - Success include removed
+
+ - Success include added
+
+ - Failure include removed
+
+ - Failure include added
+
+ - Success exclude removed
+
+ - Success exclude added
+
+ - Failure exclude removed
+
+ - Failure exclude added
+
+## Security Monitoring Recommendations
+
+For 4912(S): Per User Audit Policy was changed.
+
+- If you use the Per-user audit feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
+
+- If you don’t use the Per-user audit feature, then this event should be always monitored because it indicates use of the Per-user audit feature outside of your standard procedures.
+
diff --git a/windows/keep-secure/event-4913.md b/windows/keep-secure/event-4913.md
new file mode 100644
index 0000000000..96a27d5f9f
--- /dev/null
+++ b/windows/keep-secure/event-4913.md
@@ -0,0 +1,288 @@
+---
+title: 4913(S) Central Access Policy on the object was changed. (Windows 10)
+description: Describes security event 4913(S) Central Access Policy on the object was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4913(S): Central Access Policy on the object was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when a [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on a file system object is changed.
+
+This event always generates, regardless of the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4913
+ 0
+ 0
+ 13570
+ 0
+ 0x8020000000000000
+
+ 1183666
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x37901
+ Security
+ File
+ C:\\Audit Files\\HBI Data.txt
+ 0x3d4
+ S:AI
+ S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)
+ 0x884
+ C:\\Windows\\System32\\dllhost.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012, Windows 8.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **“File”** for this event.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Object Name** \[Type = UnicodeString\]: full path and/or name of the object on which the Central Access Policy was changed.
+
+
+
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+
+**Process:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process using which Central Access Policy was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Central Policy ID:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).
+
+ SDDL contains Central Access Policy SID, here is an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name you need to do the following:
+
+1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container.
+
+2. Open object’s “**Properties**”.
+
+3. Find “**msAuthz-CentralAccessPolicyID**” attribute.
+
+4. Convert hexadecimal value to SID (string). Here you can see more information about how to perform this action: .
+
+
+
+> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example “**S:AI**”.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: , .
+
+## Security Monitoring Recommendations
+
+For 4913(S): Central Access Policy on the object was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
+
+- If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the “**Object Name**” that corresponds to the file or folder.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in “**New Security Descriptor**” to see if it matches the expected policy.
+
+
+
diff --git a/windows/keep-secure/event-4928.md b/windows/keep-secure/event-4928.md
new file mode 100644
index 0000000000..04ad5cd8c9
--- /dev/null
+++ b/windows/keep-secure/event-4928.md
@@ -0,0 +1,108 @@
+---
+title: 4928(S, F) An Active Directory replica source naming context was established. (Windows 10)
+description: Describes security event 4928(S, F) An Active Directory replica source naming context was established.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4928(S, F): An Active Directory replica source naming context was established.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time a new Active Directory replica source naming context is established.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4928
+ 0
+ 0
+ 14083
+ 0
+ 0x8020000000000000
+
+ 227065
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local
+ DC=ForestDnsZones,DC=contoso,DC=local
+ 368
+ 0
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+- **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
+
+> **Note** The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
+
+- **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **Source Address** \[Type = UnicodeString\]: DNS record of the server from which information or an update was received.
+
+- **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
+
+> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
+
+- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx).
+
+
+
+- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here:
+
+## Security Monitoring Recommendations
+
+For 4928(S, F): An Active Directory replica source naming context was established.
+
+- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4929.md b/windows/keep-secure/event-4929.md
new file mode 100644
index 0000000000..1ce345a023
--- /dev/null
+++ b/windows/keep-secure/event-4929.md
@@ -0,0 +1,106 @@
+---
+title: 4929(S, F) An Active Directory replica source naming context was removed. (Windows 10)
+description: Describes security event 4929(S, F) An Active Directory replica source naming context was removed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4929(S, F): An Active Directory replica source naming context was removed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica source naming context was removed.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4929
+ 0
+ 0
+ 14083
+ 0
+ 0x8020000000000000
+
+ 227013
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ -
+ 2d361dd6-fc22-4d9d-b876-ec582b836458.\_msdcs.contoso.local
+ DC=contoso,DC=local
+ 16640
+ 0
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+- **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
+
+> **Note** The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
+
+- **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **Source Address** \[Type = UnicodeString\]: DNS record of the server from which the “remove” request was received.
+
+- **Naming Context** \[Type = UnicodeString\]**:** naming context which was removed.
+
+> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
+
+- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx).
+
+- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here:
+
+## Security Monitoring Recommendations
+
+For 4929(S, F): An Active Directory replica source naming context was removed.
+
+- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4930.md b/windows/keep-secure/event-4930.md
new file mode 100644
index 0000000000..83c58cab73
--- /dev/null
+++ b/windows/keep-secure/event-4930.md
@@ -0,0 +1,108 @@
+---
+title: 4930(S, F) An Active Directory replica source naming context was modified. (Windows 10)
+description: Describes security event 4930(S, F) An Active Directory replica source naming context was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4930(S, F): An Active Directory replica source naming context was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica source naming context was modified.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+It is not possible to understand what exactly was modified from this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4930
+ 0
+ 0
+ 14083
+ 0
+ 0x8020000000000000
+
+ 1564
+
+
+ Security
+ Win2012r2.corp.contoso.local
+
+
+-
+ CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ -
+ edf0bef9-1f73-4df3-8991-f6ec2d4ef3ae
+ CN=Schema,CN=Configuration,DC=contoso,DC=local
+ 0
+ 0
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+- **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
+
+> **Note** The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
+
+- **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name. Typically equals “**-**“ for this event.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **Source Address** \[Type = UnicodeString\]: DNS record of computer from which the modification request was received.
+
+- **Naming Context** \[Type = UnicodeString\]**:** naming context which was modified.
+
+> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
+
+- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx).
+
+- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here:
+
+## Security Monitoring Recommendations
+
+For 4930(S, F): An Active Directory replica source naming context was modified.
+
+- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4931.md b/windows/keep-secure/event-4931.md
new file mode 100644
index 0000000000..90d993cd8f
--- /dev/null
+++ b/windows/keep-secure/event-4931.md
@@ -0,0 +1,106 @@
+---
+title: 4931(S, F) An Active Directory replica destination naming context was modified. (Windows 10)
+description: Describes security event 4931(S, F) An Active Directory replica destination naming context was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4931(S, F): An Active Directory replica destination naming context was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica destination naming context was modified.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+It is not possible to understand what exactly was modified from this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4931
+ 0
+ 0
+ 14083
+ 0
+ 0x8020000000000000
+
+ 227058
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local
+ CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ -
+ DC=ForestDnsZones,DC=contoso,DC=local
+ 23
+ 0
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+- **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
+
+> **Note** The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
+
+- **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **Destination Address** \[Type = UnicodeString\]: DNS record of computer to which the modification request was sent.
+
+- **Naming Context** \[Type = UnicodeString\]**:** naming context which was modified.
+
+> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
+
+- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx).
+
+- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here:
+
+## Security Monitoring Recommendations
+
+For 4931(S, F): An Active Directory replica destination naming context was modified.
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4932.md b/windows/keep-secure/event-4932.md
new file mode 100644
index 0000000000..4a285d53f7
--- /dev/null
+++ b/windows/keep-secure/event-4932.md
@@ -0,0 +1,106 @@
+---
+title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun. (Windows 10)
+description: Describes security event 4932(S) Synchronization of a replica of an Active Directory naming context has begun.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time synchronization of a replica of an Active Directory naming context has begun.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4932
+ 0
+ 0
+ 14082
+ 0
+ 0x8020000000000000
+
+ 413689
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ CN=Schema,CN=Configuration,DC=contoso,DC=local
+ 2147483733
+ 48
+ 20869
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+- **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
+
+> **Note** The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
+
+- **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
+
+> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
+
+- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx).
+
+- **Session ID** \[Type = UInt32\]**:** unique identifier of replication session. Using this field you can find “[4932](event-4932.md): Synchronization of a replica of an Active Directory naming context has begun.” and “[4933](event-4933.md): Synchronization of a replica of an Active Directory naming context has ended.” events for the same session.
+
+- **Start USN** \[Type = UnicodeString\]**: Naming Context’s** USN number before replication begins.
+
+> **Note** Active Directory replication does not depend on time to determine what changes need to be propagated. It relies instead on the use of **update sequence numbers (USNs)** that are assigned by a counter that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication system is designed with this restriction in mind.
+
+## Security Monitoring Recommendations
+
+For 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
+
+- Monitor for **Source Address** field, because the source of replication (DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4933.md b/windows/keep-secure/event-4933.md
new file mode 100644
index 0000000000..ecfdab4b9f
--- /dev/null
+++ b/windows/keep-secure/event-4933.md
@@ -0,0 +1,111 @@
+---
+title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. (Windows 10)
+description: Describes security event 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time synchronization of a replica of an Active Directory naming context has ended.
+
+Failure event occurs when synchronization of a replica of an Active Directory naming context failed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4933
+ 0
+ 0
+ 14082
+ 0
+ 0x8010000000000000
+
+ 413644
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local
+ CN=Schema,CN=Configuration,DC=contoso,DC=local
+ 2147483733
+ 40
+ 20869
+ 1722
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+- **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
+
+> **Note** The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
+
+- **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
+
+> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
+
+- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx).
+
+- **Session ID** \[Type = UInt32\]**:** unique identifier of replication session. Using this field you can find “[4932](event-4932.md): Synchronization of a replica of an Active Directory naming context has begun.” and “[4933](event-4933.md): Synchronization of a replica of an Active Directory naming context has ended.” events for the same session.
+
+- **End USN** \[Type = UInt32\]**: Naming Context’s** USN number after replication ends.
+
+> **Note** Active Directory replication does not depend on time to determine what changes need to be propagated. It relies instead on the use of **update sequence numbers (USNs)** that are assigned by a counter that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication system is designed with this restriction in mind.
+
+- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be “**0**”. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here:
+
+## Security Monitoring Recommendations
+
+For 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
+
+- Monitor for **Source Address** field, because the source of replication (DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4934.md b/windows/keep-secure/event-4934.md
new file mode 100644
index 0000000000..370261af0f
--- /dev/null
+++ b/windows/keep-secure/event-4934.md
@@ -0,0 +1,51 @@
+---
+title: 4934(S) Attributes of an Active Directory object were replicated. (Windows 10)
+description: Describes security event 4934(S) Attributes of an Active Directory object were replicated.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4934(S): Attributes of an Active Directory object were replicated.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates when attributes of an Active Directory object were replicated.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Schema:***
+
+*Attributes of an Active Directory object were replicated.*
+
+*Session ID:%1*
+
+*Object:%2*
+
+*Attribute:%3*
+
+*Type of change:%4*
+
+*New Value:%5*
+
+*USN:%6*
+
+*Status Code:%7*
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4935.md b/windows/keep-secure/event-4935.md
new file mode 100644
index 0000000000..95089ddc63
--- /dev/null
+++ b/windows/keep-secure/event-4935.md
@@ -0,0 +1,74 @@
+---
+title: 4935(F) Replication failure begins. (Windows 10)
+description: Describes security event 4935(F) Replication failure begins.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4935(F): Replication failure begins.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates when Active Directory replication failure begins.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4935
+ 0
+ 0
+ 14083
+ 0
+ 0x8010000000000000
+
+ 1552
+
+
+ Security
+ Win2012r2.contoso.local
+
+
+-
+ 1
+ 8419
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Replication Event** \[Type = UInt32\]**:** there is no detailed information about this field in this document.
+
+**Audit Status Code** \[Type = UInt32\]**:** there is no detailed information about this field in this document.
+
+## Security Monitoring Recommendations
+
+For 4935(F): Replication failure begins.
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4936.md b/windows/keep-secure/event-4936.md
new file mode 100644
index 0000000000..0d3f01212d
--- /dev/null
+++ b/windows/keep-secure/event-4936.md
@@ -0,0 +1,43 @@
+---
+title: 4936(S) Replication failure ends. (Windows 10)
+description: Describes security event 4936(S) Replication failure ends.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4936(S): Replication failure ends.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates when Active Directory replication failure ends.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Schema:***
+
+*Replication failure ends.*
+
+*Replication Event:%1*
+
+*Audit Status Code:%2*
+
+*Replication Status Code:%3*
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event is typically used for Active Directory replication troubleshooting.
+
diff --git a/windows/keep-secure/event-4937.md b/windows/keep-secure/event-4937.md
new file mode 100644
index 0000000000..e828453e4c
--- /dev/null
+++ b/windows/keep-secure/event-4937.md
@@ -0,0 +1,47 @@
+---
+title: 4937(S) A lingering object was removed from a replica. (Windows 10)
+description: Describes security event 4937(S) A lingering object was removed from a replica.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4937(S): A lingering object was removed from a replica.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates when a [lingering object](https://support.microsoft.com/en-us/kb/910205) was removed from a replica.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Schema:***
+
+*A lingering object was removed from a replica.*
+
+*Destination DRA:%1*
+
+*Source DRA:%2*
+
+*Object:%3*
+
+*Options:%4*
+
+*Status Code:%5*
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-4944.md b/windows/keep-secure/event-4944.md
new file mode 100644
index 0000000000..13323d44aa
--- /dev/null
+++ b/windows/keep-secure/event-4944.md
@@ -0,0 +1,117 @@
+---
+title: 4944(S) The following policy was active when the Windows Firewall started. (Windows 10)
+description: Describes security event 4944(S) The following policy was active when the Windows Firewall started.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4944(S): The following policy was active when the Windows Firewall started.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall service starts.
+
+This event shows Windows Firewall settings that were in effect when the Windows Firewall service started.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4944
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1050808
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ No
+ Public
+ Off
+ Disabled
+ Enabled
+ Disabled
+ Disabled
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Group Policy Applied** \[Type = UnicodeString\]: it always has “No” value for this event. This field should show information about: was Group Policy applied for Windows Firewall when it starts or not.
+
+**Profile Used** \[Type = UnicodeString\]: shows the active profile name for the moment Windows Firewall service starts. It always has value “**Public**” for this event, because when this event generates, the active profile is not switched to “**Domain**” or “**Private**”. Typically you will see “[4956](event-4956.md)(S): Windows Firewall has changed the active profile” after this event, which will tell you the real active profile.
+
+**Operational mode** \[Type = UnicodeString\]:
+
+- **On** – if “**Firewall state:**” setting was set to “On” for “Public” profile.
+
+- **Off** - if “**Firewall state:**” setting was set to “Off” for “Public” profile.
+
+
+
+**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy.
+
+**Allow Unicast Responses to Multicast/Broadcast Traffic** \[Type = UnicodeString\]:
+
+- **Enabled** - if “**Allow unicast response:**” Settings configuration was set to “Yes” for “Public” profile.
+
+- **Disabled** - if “**Allow unicast response:**” Settings configuration was set to “No” for “Public” profile.
+
+
+
+**Security Logging:**
+
+- **Log Dropped Packets** \[Type = UnicodeString\]:
+
+ - **Enabled** – if “**Log dropped packets:**” Logging configuration was set to “Yes” for “Public” profile.
+
+ - **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
+
+- **Log Successful Connections** \[Type = UnicodeString\]:
+
+ - **Enabled** - if “**Log successful connections:**” Logging configuration was set to “Yes” for “Public” profile.
+
+ - **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
+
+
+
+## Security Monitoring Recommendations
+
+For 4944(S): The following policy was active when the Windows Firewall started.
+
+- If you have a standard or baseline for Windows Firewall settings defined for **Public** profile (which can be the same as for Domain, for example), monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
+- Unfortunately this event shows configuration only for **Public** profile, but you can still compare all the settings with your organization's Windows Firewall baseline for Public profile on different computers and trigger an alert if the configuration is not the same.
+
diff --git a/windows/keep-secure/event-4945.md b/windows/keep-secure/event-4945.md
new file mode 100644
index 0000000000..fb0731ead7
--- /dev/null
+++ b/windows/keep-secure/event-4945.md
@@ -0,0 +1,91 @@
+---
+title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10)
+description: Describes security event 4945(S) A rule was listed when the Windows Firewall started.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4945(S): A rule was listed when the Windows Firewall started.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall service starts.
+
+This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for “Public” profile.
+
+This event generates per rule.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4945
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1049946
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Public
+ NPS-NPSSvc-In-RPC
+ Network Policy Server (RPC)
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Profile used** \[Type = UnicodeString\]**:** the name of the profile that the rule belongs to. It always has value “**Public”**, because this event shows rules only for “Public” profile.
+
+**Rule:**
+
+- **Rule ID** \[Type = UnicodeString\]: the unique firewall rule identifier.
+
+ To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+
+
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4945(S): A rule was listed when the Windows Firewall started.
+
+- Typically this event has an informational purpose.
+
+- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration is not the same.
+
diff --git a/windows/keep-secure/event-4946.md b/windows/keep-secure/event-4946.md
new file mode 100644
index 0000000000..0fea17268d
--- /dev/null
+++ b/windows/keep-secure/event-4946.md
@@ -0,0 +1,101 @@
+---
+title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10)
+description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when new rule was locally added to Windows Firewall.
+
+This event doesn't generate when new rule was added via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4946
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1050893
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ All
+ {F2649D59-1355-4E3C-B886-CDD08B683199}
+ Allow All Rule
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Profile Changed** \[Type = UnicodeString\]**:** the list of profiles to which new rule was applied. Examples:
+
+- All
+
+- Domain,Public
+
+- Domain,Private
+
+- Private,Public
+
+- Public
+
+- Domain
+
+- Private
+
+**Added Rule:**
+
+- **Rule ID** \[Type = UnicodeString\]: the unique new firewall rule identifier.
+
+ To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+
+
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
+
+- This event can be helpful in case you want to monitor all creations of new Firewall rules which were done locally.
+
diff --git a/windows/keep-secure/event-4947.md b/windows/keep-secure/event-4947.md
new file mode 100644
index 0000000000..3103502558
--- /dev/null
+++ b/windows/keep-secure/event-4947.md
@@ -0,0 +1,101 @@
+---
+title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10)
+description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall rule was modified.
+
+This event doesn't generate when Firewall rule was modified via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4947
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1050908
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ All
+ {F2649D59-1355-4E3C-B886-CDD08B683199}
+ Allow All Rule
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Profile Changed** \[Type = UnicodeString\]**:** the list of profiles to which changed rule is applied. Examples:
+
+- All
+
+- Domain,Public
+
+- Domain,Private
+
+- Private,Public
+
+- Public
+
+- Domain
+
+- Private
+
+**Modified Rule:**
+
+- **Rule ID** \[Type = UnicodeString\]: the unique identifier for modified firewall rule.
+
+ To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+
+
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
+
+- This event can be helpful in case you want to monitor all Firewall rules modifications which were done locally.
+
diff --git a/windows/keep-secure/event-4948.md b/windows/keep-secure/event-4948.md
new file mode 100644
index 0000000000..8193b2ec9f
--- /dev/null
+++ b/windows/keep-secure/event-4948.md
@@ -0,0 +1,101 @@
+---
+title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10)
+description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall rule was deleted.
+
+This event doesn't generate when the rule was deleted via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4948
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1050934
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ All
+ {F2649D59-1355-4E3C-B886-CDD08B683199}
+ Allow All Rule
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Profile Changed** \[Type = UnicodeString\]**:** the list of profiles to which deleted rule was applied. Examples:
+
+- All
+
+- Domain,Public
+
+- Domain,Private
+
+- Private,Public
+
+- Public
+
+- Domain
+
+- Private
+
+**Deleted Rule:**
+
+- **Rule ID** \[Type = UnicodeString\]: the unique identifier for deleted firewall rule.
+
+ To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+
+
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
+
+- This event can be helpful in case you want to monitor all deletions of Firewall rules which were done locally.
+
diff --git a/windows/keep-secure/event-4949.md b/windows/keep-secure/event-4949.md
new file mode 100644
index 0000000000..0b8194ac9e
--- /dev/null
+++ b/windows/keep-secure/event-4949.md
@@ -0,0 +1,67 @@
+---
+title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10)
+description: Describes security event 4949(S) Windows Firewall settings were restored to the default values.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4949(S): Windows Firewall settings were restored to the default values.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall settings were locally restored to the default configuration.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4949
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1049926
+
+
+ Security
+ DC01.contoso.local
+
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 4949(S): Windows Firewall settings were restored to the default values.
+
+- You shouldn’t see this event during normal Windows Firewall operations, because it should be intentionally done by user or software. This event should be always monitored and an alert should be triggered, especially on critical computers or devices.
+
+- This event can be helpful in case you want to monitor all changes of Firewall rules which were done locally, especially restores to default configuration.
+
diff --git a/windows/keep-secure/event-4950.md b/windows/keep-secure/event-4950.md
new file mode 100644
index 0000000000..0c8dadbb62
--- /dev/null
+++ b/windows/keep-secure/event-4950.md
@@ -0,0 +1,91 @@
+---
+title: 4950(S) A Windows Firewall setting has changed. (Windows 10)
+description: Describes security event 4950(S) A Windows Firewall setting has changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4950(S): A Windows Firewall setting has changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall local setting was changed.
+
+This event doesn't generate when Windows Firewall setting was changed via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4950
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1050944
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Domain
+ Default Outbound Action
+ Block
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Changed Profile** \[Type = UnicodeString\]**:** the name of profile in which setting was changed. Possible values are:
+
+- Public
+
+- Domain
+
+- Private
+
+**New Setting:**
+
+- **Type** \[Type = UnicodeString\]: the name of the setting which was modified. You can use “**netsh advfirewall**” command to see or set Windows Firewall settings, for example, to see settings for current\\active Windows Firewall profile you need to execute “**netsh advfirewall show currentprofile**” command:
+
+
+
+- **Value** \[Type = UnicodeString\]: new value of modified setting.
+
+## Security Monitoring Recommendations
+
+For 4950(S): A Windows Firewall setting has changed.
+
+- If you have a standard or baseline for Windows Firewall settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
+- This event can be helpful in case you want to monitor all changes in Windows Firewall settings which were done locally.
+
diff --git a/windows/keep-secure/event-4951.md b/windows/keep-secure/event-4951.md
new file mode 100644
index 0000000000..82cf1bbeb8
--- /dev/null
+++ b/windows/keep-secure/event-4951.md
@@ -0,0 +1,103 @@
+---
+title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10)
+description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
+
+If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.
+
+The only solution is to remove the incompatible rule, and then deploy a compatible rule.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4951
+ 0
+ 0
+ 13571
+ 0
+ 0x8010000000000000
+
+ 1052309
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ All
+ {08CBB349-D158-46BE-81E1-2ABC59BDD523}
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Profile** \[Type = UnicodeString\]**:** the name of the profile of the ignored rule. Possible values are:
+
+- All
+
+- Domain,Public
+
+- Domain,Private
+
+- Private,Public
+
+- Public
+
+- Domain
+
+- Private
+
+**Ignored Rule:**
+
+- **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
+
+ To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+
+
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4952.md b/windows/keep-secure/event-4952.md
new file mode 100644
index 0000000000..06e7cc5bc5
--- /dev/null
+++ b/windows/keep-secure/event-4952.md
@@ -0,0 +1,51 @@
+---
+title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10)
+description: Describes security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
+
+If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.
+
+The only solution is to remove the incompatible rule, and then deploy a compatible rule.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Schema:***
+
+*Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.*
+
+*%t*
+
+*Profile:%t%1*
+
+*Partially Ignored Rule:*
+
+*%tID:%t%2*
+
+*%tName:%t%3*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4953.md b/windows/keep-secure/event-4953.md
new file mode 100644
index 0000000000..5f4046b134
--- /dev/null
+++ b/windows/keep-secure/event-4953.md
@@ -0,0 +1,104 @@
+---
+title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10)
+description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4953(F): Windows Firewall ignored a rule because it could not be parsed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason.
+
+It can happen if Windows Firewall rule registry entry was corrupted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4953
+ 0
+ 0
+ 13571
+ 0
+ 0x8010000000000000
+
+ 1052340
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ All
+ An error occurred.
+ {08CBB349-D158-46BE-81E1-2ABC59BDD523}
+ -
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Profile** \[Type = UnicodeString\]**:** the name of the profile of the ignored rule. Possible values are:
+
+- All
+
+- Domain,Public
+
+- Domain,Private
+
+- Private,Public
+
+- Public
+
+- Domain
+
+- Private
+
+**Reason for Rejection** \[Type = UnicodeString\]**:** the reason, why the rule was ignored.
+
+**Rule:**
+
+- **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
+
+ To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+
+
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4953(F): Windows Firewall ignored a rule because it could not be parsed.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4954.md b/windows/keep-secure/event-4954.md
new file mode 100644
index 0000000000..313eef1046
--- /dev/null
+++ b/windows/keep-secure/event-4954.md
@@ -0,0 +1,67 @@
+---
+title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10)
+description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall group policy is changed, locally or from Active Directory Group Policy.
+
+This event generates every time local Group Policy is refreshed, even if no Windows Firewall settings were modified or presented.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4954
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1049893
+
+
+ Security
+ DC01.contoso.local
+
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
+
+- Unfortunately this event generates every time local Group Policy is refreshed and does not indicate that settings really were modified. Typically this event can be ignored.
+
diff --git a/windows/keep-secure/event-4956.md b/windows/keep-secure/event-4956.md
new file mode 100644
index 0000000000..598387895b
--- /dev/null
+++ b/windows/keep-secure/event-4956.md
@@ -0,0 +1,79 @@
+---
+title: 4956(S) Windows Firewall has changed the active profile. (Windows 10)
+description: Describes security event 4956(S) Windows Firewall has changed the active profile.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4956(S): Windows Firewall has changed the active profile.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall has changed the active profile.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4956
+ 0
+ 0
+ 13571
+ 0
+ 0x8020000000000000
+
+ 1050811
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Domain
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**New Active Profile** \[Type = UnicodeString\]**:** the name of the new active profile. Possible values are:
+
+- Domain
+
+- Public
+
+- Private
+
+## Security Monitoring Recommendations
+
+For 4956(S): Windows Firewall has changed the active profile.
+
+- Typically this event has an informational purpose.
+
+- For domain joined machines you could monitor for all events where **New Active Profile** doesn’t equal **“Domain”**. This indicates that the computer was connected to another non-domain network.
+
diff --git a/windows/keep-secure/event-4957.md b/windows/keep-secure/event-4957.md
new file mode 100644
index 0000000000..1d651773dd
--- /dev/null
+++ b/windows/keep-secure/event-4957.md
@@ -0,0 +1,87 @@
+---
+title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10)
+description: Describes security event 4957(F) Windows Firewall did not apply the following rule.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4957(F): Windows Firewall did not apply the following rule.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4957
+ 0
+ 0
+ 13571
+ 0
+ 0x8010000000000000
+
+ 1049892
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ CoreNet-Teredo-In
+ Core Networking - Teredo (UDP-In)
+ Local Port
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Rule Information:**
+
+- **ID** \[Type = UnicodeString\]: the unique identifier for not applied firewall rule.
+
+ To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+
+
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was not applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+**Error Information:**
+
+- **Reason** \[Type = UnicodeString\]: the reason why the rule was not applied.
+
+## Security Monitoring Recommendations
+
+For 4957(F): Windows Firewall did not apply the following rule.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4958.md b/windows/keep-secure/event-4958.md
new file mode 100644
index 0000000000..aec78e8144
--- /dev/null
+++ b/windows/keep-secure/event-4958.md
@@ -0,0 +1,43 @@
+---
+title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10)
+description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Schema:***
+
+*Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
+Rule Information:
+%tID:%t%1
+%tName:%t%2
+Error Information:
+%tError:%t%3
+%tReason:%t%4*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4964.md b/windows/keep-secure/event-4964.md
new file mode 100644
index 0000000000..96d32ccc21
--- /dev/null
+++ b/windows/keep-secure/event-4964.md
@@ -0,0 +1,159 @@
+---
+title: 4964(S) Special groups have been assigned to a new logon. (Windows 10)
+description: Describes security event 4964(S) Special groups have been assigned to a new logon.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4964(S): Special groups have been assigned to a new logon.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+
+***Event Description:***
+
+This event occurs when an account that is a member of any defined [Special Group](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4964
+ 0
+ 0
+ 12548
+ 0
+ 0x8020000000000000
+
+ 238923
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0xd972e
+ {00000000-0000-0000-0000-000000000000}
+ S-1-5-21-3457937927-2839227994-823803824-500
+ ladmin
+ CONTOSO
+ 0x139faf
+ {B03B6192-09AE-E77F-DD10-2DC430766040}
+ %{S-1-5-21-3457937927-2839227994-823803824-512}
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+> **Note** Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups feature lets the administrator find out when a member of a certain group logs on to the computer. The Special Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry.
+
+> To add Special Groups perform the following actions:
+
+> 1. Open Registry Editor.
+
+> 2. Locate and then click the following registry subkey: HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\Audit
+
+> 3. On the Edit menu, point to New, and then click String Value.
+
+> 4. Type SpecialGroups, and then press ENTER.
+
+> 5. Right-click SpecialGroups, and then click Modify.
+
+> 6. In the Value date box, type the group SIDs, and then click OK.
+
+> A semicolon character (;) can be used to delimit the SID list. For example, you can use the following string that contains a semicolon to delimit two SIDs:
+
+> S-1-5-32-544;S-1-5-32-123-54-65
+
+> For more information see:
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested logon for **New Logon** account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested logon for **New Logon** account.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
+
+ It also can be used for correlation between a 4964 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4624](event-4624.md)(S): An account was successfully logged on.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+**New Logon:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that performed the logon. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the logon.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
+
+ It also can be used for correlation between a 4964 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4624](event-4624.md)(S): An account was successfully logged on.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+- **Special Groups Assigned** \[Type = UnicodeString\]: the list of special group SIDs, which **New Logon\\Security ID** is a member of.
+
+## Security Monitoring Recommendations
+
+For 4964(S): Special groups have been assigned to a new logon.
+
+- Generally speaking, every [4964](event-4964.md) event should be monitored, because the purpose of Special Groups is to define a list of critical or important groups (Domain Admins, Enterprise Admins, service account groups, and so on) and trigger an event every time a member of these groups logs on to a computer. For example, you can monitor for every Domain Administrators logon to a non-administrative workstation.
+
diff --git a/windows/keep-secure/event-4985.md b/windows/keep-secure/event-4985.md
new file mode 100644
index 0000000000..f9737372fc
--- /dev/null
+++ b/windows/keep-secure/event-4985.md
@@ -0,0 +1,121 @@
+---
+title: 4985(S) The state of a transaction has changed. (Windows 10)
+description: Describes security event 4985(S) The state of a transaction has changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4985(S): The state of a transaction has changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md), [Audit Other Privilege Use Events](audit-other-privilege-use-events.md), and [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This is an informational event from file system [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 4985
+ 0
+ 0
+ 12800
+ 0
+ 0x8020000000000000
+
+ 274277
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-18
+ DC01$
+ CONTOSO
+ 0x3e7
+ {17EF5E21-5E2C-11E5-810F-00155D987005}
+ 52
+ {5F5ED427-FCCA-11E3-BD73-B54AB417B853}
+ 0x370
+ C:\\Windows\\System32\\svchost.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account through which the state of the transaction was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the state of the transaction.
+
+- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Transaction Information:**
+
+- **RM Transaction ID** \[Type = GUID\]: unique GUID of the [transaction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366402(v=vs.85).aspx). This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **New State** \[Type = UInt32\]**:** identifier of the new state of the [transaction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366402(v=vs.85).aspx).
+
+- **Resource Manager** \[Type = GUID\]**:** unique GUID-Identifier of the [Resource Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366356(v=vs.85).aspx) which associated with this [transaction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366402(v=vs.85).aspx).
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the state of the transaction was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4985(S): The state of a transaction has changed.
+
+- This event typically has no security relevance and used for [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx) troubleshooting.
+
diff --git a/windows/keep-secure/event-5024.md b/windows/keep-secure/event-5024.md
new file mode 100644
index 0000000000..c06e33a285
--- /dev/null
+++ b/windows/keep-secure/event-5024.md
@@ -0,0 +1,69 @@
+---
+title: 5024(S) The Windows Firewall Service has started successfully. (Windows 10)
+description: Describes security event 5024(S) The Windows Firewall Service has started successfully.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5024(S): The Windows Firewall Service has started successfully.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall (MpsSvc) service has started successfully.
+
+This event is typically logged during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5024
+ 0
+ 0
+ 12292
+ 0
+ 0x8020000000000000
+
+ 1101613
+
+
+ Security
+ DC01.contoso.local
+
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 5024(S): The Windows Firewall Service has started successfully.
+
+- Typically this event has an informational purpose. It’s logged during operating system startup process.
+
+- You should not see this event after system startup, so we recommend that you monitor it when it occurs outside the system startup process.
+
diff --git a/windows/keep-secure/event-5025.md b/windows/keep-secure/event-5025.md
new file mode 100644
index 0000000000..2e871f2ce0
--- /dev/null
+++ b/windows/keep-secure/event-5025.md
@@ -0,0 +1,69 @@
+---
+title: 5025(S) The Windows Firewall Service has been stopped. (Windows 10)
+description: Describes security event 5025(S) The Windows Firewall Service has been stopped.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5025(S): The Windows Firewall Service has been stopped.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall (MpsSvc) service has been stopped.
+
+This event is typically logged during operating system shutdown process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5025
+ 0
+ 0
+ 12292
+ 0
+ 0x8020000000000000
+
+ 1101606
+
+
+ Security
+ DC01.contoso.local
+
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 5025(S): The Windows Firewall Service has been stopped.
+
+- Typically this event has an informational purpose. It’s logged during operating system shutdown process.
+
+- You should not see this event after system startup, so we recommend that you monitor it when it occurs outside the system startup process.
+
diff --git a/windows/keep-secure/event-5027.md b/windows/keep-secure/event-5027.md
new file mode 100644
index 0000000000..d8f0c10631
--- /dev/null
+++ b/windows/keep-secure/event-5027.md
@@ -0,0 +1,75 @@
+---
+title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. (Windows 10)
+description: Describes security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
+
+Typically if this event occurs it indicates that Windows Firewall service was not able to start.
+
+It typically occurs with “[5028](event-5028.md)(S): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5027
+ 0
+ 0
+ 12292
+ 0
+ 0x8010000000000000
+
+ 1101848
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 2147942413
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Error Code** \[Type = UInt32\]**:** unique error code. For information about error codes meanings for this event use or other informational resources.
+
+## Security Monitoring Recommendations
+
+For 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
+
+- This event can be a sign of software or operating system issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-5028.md b/windows/keep-secure/event-5028.md
new file mode 100644
index 0000000000..c5dd276e84
--- /dev/null
+++ b/windows/keep-secure/event-5028.md
@@ -0,0 +1,75 @@
+---
+title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. (Windows 10)
+description: Describes security event 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
+
+Typically if this event occurs it indicates that Windows Firewall service was not able to start.
+
+It typically occurs with “[5027](event-5027.md)(S): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5028
+ 0
+ 0
+ 12292
+ 0
+ 0x8010000000000000
+
+ 1101849
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 2147942413
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Error Code** \[Type = UInt32\]**:** unique error code. For information about error codes meanings for this event use or other informational resources.
+
+## Security Monitoring Recommendations
+
+For 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
+
+- This event can be a sign of software or operating system issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-5029.md b/windows/keep-secure/event-5029.md
new file mode 100644
index 0000000000..8bd1677e18
--- /dev/null
+++ b/windows/keep-secure/event-5029.md
@@ -0,0 +1,39 @@
+---
+title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. (Windows 10)
+description: Describes security event 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Windows logs an error if either the Windows Firewall service or its driver fails to start, or if they unexpectedly terminate. The error message indicates the cause of the service failure by including an error code in the text of the message.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.*
+
+*Error Code:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software or operating system issues, or a sign of malicious activity that corrupted Windows Firewall Driver. We recommend monitoring this event and investigating the reason for the condition.
+
diff --git a/windows/keep-secure/event-5030.md b/windows/keep-secure/event-5030.md
new file mode 100644
index 0000000000..2ae7dc1fd3
--- /dev/null
+++ b/windows/keep-secure/event-5030.md
@@ -0,0 +1,41 @@
+---
+title: 5030(F) The Windows Firewall Service failed to start. (Windows 10)
+description: Describes security event 5030(F) The Windows Firewall Service failed to start.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5030(F): The Windows Firewall Service failed to start.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message.
+
+This event doesn't generate during Windows Firewall service failures if Windows Firewall policy is incorrect\\corrupted or one of the service dependencies was not started.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*The Windows Firewall service failed to start.*
+
+*Error Code:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software or operating system issues, or a sign of malicious activity that corrupted Windows Firewall Driver. We recommend monitoring this event and investigating the reason for the condition.
+
diff --git a/windows/keep-secure/event-5031.md b/windows/keep-secure/event-5031.md
new file mode 100644
index 0000000000..6a4e5a375b
--- /dev/null
+++ b/windows/keep-secure/event-5031.md
@@ -0,0 +1,88 @@
+---
+title: 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. (Windows 10)
+description: Describes security event 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
+
+If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) layer, because by default this layer is denying any incoming connections.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5031
+ 0
+ 0
+ 12810
+ 0
+ 0x8010000000000000
+
+ 304373
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Domain
+ C:\\documents\\listener.exe
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+- **Profiles** \[Type = UnicodeString\]: network profile using which application was blocked. Possible values:
+
+ - Domain
+
+ - Public
+
+ - Private
+
+- **Application** \[Type = UnicodeString\]: full path and file name of executable file for blocked application.
+
+## Security Monitoring Recommendations
+
+For 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
+
+- You can use this event to detect applications for which no Windows Firewall rules were created.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
diff --git a/windows/keep-secure/event-5032.md b/windows/keep-secure/event-5032.md
new file mode 100644
index 0000000000..ae74c91364
--- /dev/null
+++ b/windows/keep-secure/event-5032.md
@@ -0,0 +1,41 @@
+---
+title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. (Windows 10)
+description: Describes security event 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future.
+
+This event generates if Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.*
+
+*Error Code:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5033.md b/windows/keep-secure/event-5033.md
new file mode 100644
index 0000000000..850dd18213
--- /dev/null
+++ b/windows/keep-secure/event-5033.md
@@ -0,0 +1,69 @@
+---
+title: 5033(S) The Windows Firewall Driver has started successfully. (Windows 10)
+description: Describes security event 5033(S) The Windows Firewall Driver has started successfully.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5033(S): The Windows Firewall Driver has started successfully.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) has started successfully.
+
+This event is typically logged during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5033
+ 0
+ 0
+ 12292
+ 0
+ 0x8020000000000000
+
+ 1101612
+
+
+ Security
+ DC01.contoso.local
+
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 5033(S): The Windows Firewall Driver has started successfully.
+
+- Typically this event has an informational purpose. It’s logged during operating system startup process.
+
+- You should not see this event after system startup, so we recommend that you monitor it when it occurs outside the system startup process.
+
diff --git a/windows/keep-secure/event-5034.md b/windows/keep-secure/event-5034.md
new file mode 100644
index 0000000000..ff3fb85462
--- /dev/null
+++ b/windows/keep-secure/event-5034.md
@@ -0,0 +1,69 @@
+---
+title: 5034(S) The Windows Firewall Driver was stopped. (Windows 10)
+description: Describes security event 5034(S) The Windows Firewall Driver was stopped.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5034(S): The Windows Firewall Driver was stopped.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) was stopped.
+
+This event is NOT logged during the operating system shutdown process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5034
+ 0
+ 0
+ 12292
+ 0
+ 0x8020000000000000
+
+ 1101856
+
+
+ Security
+ DC01.contoso.local
+
+
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 5034(S): The Windows Firewall Driver was stopped.
+
+- This event is NOT logged during the operating system shutdown process.
+
+- You should not see this event during normal operating system operations, so we recommend that when it occurs, you investigate why the Windows Firewall driver was stopped.
+
diff --git a/windows/keep-secure/event-5035.md b/windows/keep-secure/event-5035.md
new file mode 100644
index 0000000000..1bfd2005f7
--- /dev/null
+++ b/windows/keep-secure/event-5035.md
@@ -0,0 +1,39 @@
+---
+title: 5035(F) The Windows Firewall Driver failed to start. (Windows 10)
+description: Describes security event 5035(F) The Windows Firewall Driver failed to start.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5035(F): The Windows Firewall Driver failed to start.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*The Windows Firewall Driver failed to start.*
+
+*Error Code:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software or operating system issues, or a sign of malicious activity that corrupted Windows Firewall Driver. We recommend monitoring this event and investigating the reason for the condition.
+
diff --git a/windows/keep-secure/event-5037.md b/windows/keep-secure/event-5037.md
new file mode 100644
index 0000000000..74d89cfcb2
--- /dev/null
+++ b/windows/keep-secure/event-5037.md
@@ -0,0 +1,39 @@
+---
+title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. (Windows 10)
+description: Describes security event 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*The Windows Firewall Driver detected a critical runtime error, terminating.*
+
+*Error Code:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software or operating system issues, or a sign of malicious activity that corrupted Windows Firewall Driver. We recommend monitoring this event and investigating the reason for the condition.
+
diff --git a/windows/keep-secure/event-5038.md b/windows/keep-secure/event-5038.md
new file mode 100644
index 0000000000..03e3a001cb
--- /dev/null
+++ b/windows/keep-secure/event-5038.md
@@ -0,0 +1,37 @@
+---
+title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10)
+description: Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
+
+This event generates by [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) feature, if signature of a file is not valid.
+
+Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.*
+
+*File Name: %filepath\\filename%*
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
diff --git a/windows/keep-secure/event-5039.md b/windows/keep-secure/event-5039.md
new file mode 100644
index 0000000000..7efc527d45
--- /dev/null
+++ b/windows/keep-secure/event-5039.md
@@ -0,0 +1,63 @@
+---
+title: 5039(-) A registry key was virtualized. (Windows 10)
+description: Describes security event 5039(-) A registry key was virtualized.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5039(-): A registry key was virtualized.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event should be generated when registry key was virtualized using [LUAFV](http://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
+
+This event occurs very rarely during during standard LUAFV registry key virtualization.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Registry](audit-registry.md)
+
+***Event Schema:***
+
+*A registry key was virtualized.*
+
+*Subject:*
+
+> *Security ID:%1%*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Object:*
+
+> *Key Name:%5*
+>
+> *Virtual Key Name:%6*
+
+*Process Information:*
+
+> *Process ID:%7*
+>
+> *Process Name%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
+
+
diff --git a/windows/keep-secure/event-5051.md b/windows/keep-secure/event-5051.md
new file mode 100644
index 0000000000..925586c371
--- /dev/null
+++ b/windows/keep-secure/event-5051.md
@@ -0,0 +1,61 @@
+---
+title: 5051(-) A file was virtualized. (Windows 10)
+description: Describes security event 5051(-) A file was virtualized.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5051(-): A file was virtualized.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event should be generated when file was virtualized using [LUAFV](http://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
+
+This event occurs very rarely during standard LUAFV file virtualization.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit File System](audit-file-system.md)
+
+***Event Schema:***
+
+*A file was virtualized.*
+
+*Subject:*
+
+> *Security ID:%1%*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Object:*
+
+> *File Name:%5*
+>
+> *Virtual File Name:%6*
+
+*Process Information:*
+
+> *Process ID:%7*
+>
+> *Process Name%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5056.md b/windows/keep-secure/event-5056.md
new file mode 100644
index 0000000000..112eec47ed
--- /dev/null
+++ b/windows/keep-secure/event-5056.md
@@ -0,0 +1,63 @@
+---
+title: 5056(S) A cryptographic self-test was performed. (Windows 10)
+description: Describes security event 5056(S) A cryptographic self-test was performed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5056(S): A cryptographic self-test was performed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in CNG Self-Test function. This is a Cryptographic Next Generation (CNG) function.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*A cryptographic self test was performed.*
+
+*Subject:*
+
+> *Security ID%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Module:%5*
+
+*Return Code:%6*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5057.md b/windows/keep-secure/event-5057.md
new file mode 100644
index 0000000000..1c1207d464
--- /dev/null
+++ b/windows/keep-secure/event-5057.md
@@ -0,0 +1,71 @@
+---
+title: 5057(F) A cryptographic primitive operation failed. (Windows 10)
+description: Describes security event 5057(F) A cryptographic primitive operation failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5057(F): A cryptographic primitive operation failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in case of CNG primitive operation failure.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*A cryptographic primitive operation failed.*
+
+*Subject:*
+
+> *Security ID%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Cryptographic Parameters:*
+
+> *Provider Name:%5*
+>
+> *Algorithm Name%6*
+
+*Failure Information:*
+
+> *Reason:%7*
+>
+> *Return Code:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5058.md b/windows/keep-secure/event-5058.md
new file mode 100644
index 0000000000..b8b0f16ef4
--- /dev/null
+++ b/windows/keep-secure/event-5058.md
@@ -0,0 +1,161 @@
+---
+title: 5058(S, F) Key file operation. (Windows 10)
+description: Describes security event 5058(S, F) Key file operation.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5058(S, F): Key file operation.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+You can see these events, for example, during certificate renewal or export operations using KSP.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5058
+ 0
+ 0
+ 12292
+ 0
+ 0x8020000000000000
+
+ 1048275
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x38e2d
+ Microsoft Software Key Storage Provider
+ ECDH\_P521
+ le-SuperAdmin-5e350d8e-ae46-458c-bac0-d8f3279c944e
+ %%2500
+ C:\\Users\\dadmin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\c0a496c6786f0d25e8624fee96e4e580\_7a1bf91d-ebdd-449c-825d-c97f2f47cd01
+ %%2459
+ 0x0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key file operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Cryptographic Parameters:**
+
+- **Provider Name** \[Type = UnicodeString\]**:** the name of KSP through which the operation was performed. Can have one of the following values:
+
+ - Microsoft Software Key Storage Provider
+
+ - Microsoft Smart Card Key Storage Provider
+
+- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values:
+
+ - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman.
+
+ - DSA – Digital Signature Algorithm.
+
+ - DH – Diffie-Hellman.
+
+ - ECDH\_P521 – Elliptic Curve Diffie-Hellman algorithm with 512-bit key length.
+
+ - ECDH\_P384 – Elliptic Curve Diffie-Hellman algorithm with 384-bit key length.
+
+ - ECDH\_P256 – Elliptic Curve Diffie-Hellman algorithm with 256-bit key length.
+
+ - ECDSA\_P256 – Elliptic Curve Digital Signature Algorithm with 256-bit key length.
+
+ - ECDSA\_P384 – Elliptic Curve Digital Signature Algorithm with 384-bit key length.
+
+ - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length.
+
+- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example:
+
+
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Key File Operation Information:**
+
+- **File Path** \[Type = UnicodeString\]: full path and filename of the key file on which the operation was performed.
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Examples:
+
+ - Write persisted key to file.
+
+ - Read persisted key from file.
+
+ - Delete key file.
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5058(S, F): Key file operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”**) or a specific **“Operation”**, such as **“Delete key file”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-5059.md b/windows/keep-secure/event-5059.md
new file mode 100644
index 0000000000..3a1b397f62
--- /dev/null
+++ b/windows/keep-secure/event-5059.md
@@ -0,0 +1,156 @@
+---
+title: 5059(S, F) Key migration operation. (Windows 10)
+description: Describes security event 5059(S, F) Key migration operation.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5059(S, F): Key migration operation.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5059
+ 0
+ 0
+ 12292
+ 0
+ 0x8020000000000000
+
+ 1048447
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x38e2d
+ Microsoft Software Key Storage Provider
+ ECDH\_P521
+ le-SuperAdmin-795fd6c1-2fae-4bef-a6bc-4f4d464bc083
+ %%2500
+ %%2464
+ 0x0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested key migration operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key migration operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Cryptographic Parameters:**
+
+- **Provider Name** \[Type = UnicodeString\]**:** the name of KSP through which the operation was performed. Can have one of the following values:
+
+ - Microsoft Software Key Storage Provider
+
+ - Microsoft Smart Card Key Storage Provider
+
+- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values:
+
+ - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman.
+
+ - DSA – Digital Signature Algorithm.
+
+ - DH – Diffie-Hellman.
+
+ - ECDH\_P521 – Elliptic Curve Diffie-Hellman algorithm with 512-bit key length.
+
+ - ECDH\_P384 – Elliptic Curve Diffie-Hellman algorithm with 384-bit key length.
+
+ - ECDH\_P256 – Elliptic Curve Diffie-Hellman algorithm with 256-bit key length.
+
+ - ECDSA\_P256 – Elliptic Curve Digital Signature Algorithm with 256-bit key length.
+
+ - ECDSA\_P384 – Elliptic Curve Digital Signature Algorithm with 384-bit key length.
+
+ - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length.
+
+- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example:
+
+
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Additional Information:**
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Examples:
+
+ - “**Export of persistent cryptographic key.**” – typically generates during key read operations, which means that the key was taken for read purposes. But it also generates during real key export operations (export certificate with private key, for example).
+
+ - “**Import of persistent cryptographic key.**” – key import operation was performed (import certificate with private key, for example).
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5059(S, F): Key migration operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Export of persistent cryptographic key”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+-
+
diff --git a/windows/keep-secure/event-5060.md b/windows/keep-secure/event-5060.md
new file mode 100644
index 0000000000..b568ea571b
--- /dev/null
+++ b/windows/keep-secure/event-5060.md
@@ -0,0 +1,75 @@
+'---
+title: 5060(F) Verification operation failed. (Windows 10)
+description: Describes security event 5060(F) Verification operation failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5060(F): Verification operation failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in case of CNG verification operation failure.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Verification operation failed.*
+
+*Subject:*
+
+> *Security ID%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Cryptographic Parameters:*
+
+> *Provider Name:%5*
+>
+> *Algorithm Name%6*
+>
+> *Key Name:%7*
+>
+> *Key Type:%8*
+
+*Failure Information:*
+
+> *Reason:%7*
+>
+> *Return Code:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5061.md b/windows/keep-secure/event-5061.md
new file mode 100644
index 0000000000..886a4d7aba
--- /dev/null
+++ b/windows/keep-secure/event-5061.md
@@ -0,0 +1,166 @@
+---
+title: 5061(S, F) Cryptographic operation. (Windows 10)
+description: Describes security event 5061(S, F) Cryptographic operation.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5061(S, F): Cryptographic operation.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Description:***
+
+This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5061
+ 0
+ 0
+ 12290
+ 0
+ 0x8020000000000000
+
+ 1048444
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x38e2d
+ Microsoft Software Key Storage Provider
+ ECDH\_P521
+ le-SuperAdmin-795fd6c1-2fae-4bef-a6bc-4f4d464bc083
+ %%2500
+ %%2480
+ 0x0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested specific cryptographic operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Cryptographic Parameters:**
+
+- **Provider Name** \[Type = UnicodeString\]**:** the name of KSP through which the operation was performed. Can have one of the following values:
+
+ - Microsoft Software Key Storage Provider
+
+ - Microsoft Smart Card Key Storage Provider
+
+- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values:
+
+ - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman.
+
+ - DSA – Digital Signature Algorithm.
+
+ - DH – Diffie-Hellman.
+
+ - ECDH\_P521 – Elliptic Curve Diffie-Hellman algorithm with 512-bit key length.
+
+ - ECDH\_P384 – Elliptic Curve Diffie-Hellman algorithm with 384-bit key length.
+
+ - ECDH\_P256 – Elliptic Curve Diffie-Hellman algorithm with 256-bit key length.
+
+ - ECDSA\_P256 – Elliptic Curve Digital Signature Algorithm with 256-bit key length.
+
+ - ECDSA\_P384 – Elliptic Curve Digital Signature Algorithm with 384-bit key length.
+
+ - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length.
+
+- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example:
+
+
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Cryptographic Operation:**
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Possible values:
+
+ - Open Key. – open existing cryptographic key.
+
+ - Create Key. – create new cryptographic key.
+
+ - Delete Key. – delete existing cryptographic key.
+
+ - Sign hash. – cryptographic signing operation.
+
+ - Secret agreement.
+
+ - Key Derivation. – key derivation operation.
+
+ - Encrypt. – encryption operation.
+
+ - Decrypt. – decryption operation.
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5061(S, F): Cryptographic operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Delete Key”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-5062.md b/windows/keep-secure/event-5062.md
new file mode 100644
index 0000000000..4f1aa57c3f
--- /dev/null
+++ b/windows/keep-secure/event-5062.md
@@ -0,0 +1,39 @@
+---
+title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10)
+description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5062(S): A kernel-mode cryptographic self-test was performed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event occurs rarely, and in some situations may be difficult to reproduce.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*A kernel-mode cryptographic self test was performed.*
+
+*Module:%1*
+
+*Return Code:%2*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5063.md b/windows/keep-secure/event-5063.md
new file mode 100644
index 0000000000..9a0a83c802
--- /dev/null
+++ b/windows/keep-secure/event-5063.md
@@ -0,0 +1,69 @@
+---
+title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10)
+description: Describes security event 5063(S, F) A cryptographic provider operation was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5063(S, F): A cryptographic provider operation was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions.
+
+This event generates when cryptographic provider was registered or unregistered.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Schema:***
+
+*A cryptographic provider operation was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Cryptographic Provider:*
+
+> *Name:%5*
+>
+> *Module:%6*
+>
+> *Operation:%7*
+
+*Return Code:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5064.md b/windows/keep-secure/event-5064.md
new file mode 100644
index 0000000000..e77dfa511d
--- /dev/null
+++ b/windows/keep-secure/event-5064.md
@@ -0,0 +1,69 @@
+---
+title: 5064(S, F) A cryptographic context operation was attempted. (Windows 10)
+description: Describes security event 5064(S, F) A cryptographic context operation was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5064(S, F): A cryptographic context operation was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in [BCryptCreateContext](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375381(v=vs.85).aspx)() and [BCryptDeleteContext](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375392(v=vs.85).aspx)() functions. These are Cryptographic Next Generation (CNG) functions.
+
+This event generates when cryptographic context was created or deleted.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Schema:***
+
+*A cryptographic context operation was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Configuration Parameters:*
+
+> *Scope:%5*
+>
+> *Context:%6*
+
+*Operation:%7*
+
+*Return Code:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5065.md b/windows/keep-secure/event-5065.md
new file mode 100644
index 0000000000..23b817ac6c
--- /dev/null
+++ b/windows/keep-secure/event-5065.md
@@ -0,0 +1,73 @@
+---
+title: 5065(S, F) A cryptographic context modification was attempted. (Windows 10)
+description: Describes security event 5065(S, F) A cryptographic context modification was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5065(S, F): A cryptographic context modification was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/es-es/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function.
+
+This event generates when configuration information was changed for existing CNG context.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Schema:***
+
+*A cryptographic context modification was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Configuration Parameters:*
+
+> *Scope:%5*
+>
+> *Context:%6*
+
+*Change Information:*
+
+> *Old Value:%7*
+>
+> *New Value:%8*
+
+*Return Code:%9*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5066.md b/windows/keep-secure/event-5066.md
new file mode 100644
index 0000000000..ae0b53e526
--- /dev/null
+++ b/windows/keep-secure/event-5066.md
@@ -0,0 +1,75 @@
+---
+title: 5066(S, F) A cryptographic function operation was attempted. (Windows 10)
+description: Describes security event 5066(S, F) A cryptographic function operation was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5066(S, F): A cryptographic function operation was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in [BCryptAddContextFunction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375360(v=vs.85).aspx)() and [BCryptRemoveContextFunction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375492(v=vs.85).aspx)() functions. These are Cryptographic Next Generation (CNG) functions.
+
+This event generates when cryptographic function was added or removed from the list of functions that are supported by an existing CNG context.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Schema:***
+
+*A cryptographic function operation was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Configuration Parameters:*
+
+> *Scope:%5*
+>
+> *Context:%6*
+>
+> *Interface:%7*
+>
+> *Function:%8*
+>
+> *Position:%9*
+
+*Operation:%10*
+
+*Return Code:%11*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5067.md b/windows/keep-secure/event-5067.md
new file mode 100644
index 0000000000..64c0a626eb
--- /dev/null
+++ b/windows/keep-secure/event-5067.md
@@ -0,0 +1,77 @@
+---
+title: 5067(S, F) A cryptographic function modification was attempted. (Windows 10)
+description: Describes security event 5067(S, F) A cryptographic function modification was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5067(S, F): A cryptographic function modification was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in [BCryptConfigureContextFunction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375380(v=vs.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function.
+
+This event generates when configuration information for the cryptographic function of an existing CNG context was changed.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Schema:***
+
+*A cryptographic function modification was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Configuration Parameters:*
+
+> *Scope:%5*
+>
+> *Context:%6*
+>
+> *Interface:%7*
+>
+> *Function:%8*
+
+*Change Information:*
+
+> *Old Value:%9*
+>
+> *New Value:%10*
+
+*Return Code:%11*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5068.md b/windows/keep-secure/event-5068.md
new file mode 100644
index 0000000000..2200cc9eed
--- /dev/null
+++ b/windows/keep-secure/event-5068.md
@@ -0,0 +1,75 @@
+---
+title: 5068(S, F) A cryptographic function provider operation was attempted. (Windows 10)
+description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5068(S, F): A cryptographic function provider operation was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Schema:***
+
+*A cryptographic function provider operation was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Configuration Parameters:*
+
+> *Scope:%5*
+>
+> *Context:%6*
+>
+> *Interface:%7*
+>
+> *Function:%8*
+>
+> *Provider:%9*
+>
+> *Position:%10*
+
+*Operation:%11*
+
+*Return Code:%12*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5069.md b/windows/keep-secure/event-5069.md
new file mode 100644
index 0000000000..b58724b2d2
--- /dev/null
+++ b/windows/keep-secure/event-5069.md
@@ -0,0 +1,77 @@
+---
+title: 5069(S, F) A cryptographic function property operation was attempted. (Windows 10)
+description: Describes security event 5069(S, F) A cryptographic function property operation was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5069(S, F): A cryptographic function property operation was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in [BCryptSetContextFunctionProperty](https://msdn.microsoft.com/en-us/library/windows/desktop/Aa375501(v=VS.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function.
+
+This event generates when named property for a cryptographic function in an existing CNG context was added or removed.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Schema:***
+
+*A cryptographic function property operation was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Configuration Parameters:*
+
+> *Scope:%5*
+>
+> *Context:%6*
+>
+> *Interface:%7*
+>
+> *Function:%8*
+>
+> Property:%9
+
+Operation:%10
+
+Value:%11
+
+Return Code:%12
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5070.md b/windows/keep-secure/event-5070.md
new file mode 100644
index 0000000000..668edaba15
--- /dev/null
+++ b/windows/keep-secure/event-5070.md
@@ -0,0 +1,79 @@
+---
+title: 5070(S, F) A cryptographic function property modification was attempted. (Windows 10)
+description: Describes security event 5070(S, F) A cryptographic function property modification was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5070(S, F): A cryptographic function property modification was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in [BCryptSetContextFunctionProperty](https://msdn.microsoft.com/en-us/library/windows/desktop/Aa375501(v=VS.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function.
+
+This event generates when named property for a cryptographic function in an existing CNG context was updated.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+-
+
+-
+
+-
+
+This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Schema:***
+
+*A cryptographic function property modification was attempted.*
+
+*Subject:*
+
+> *Security ID:%1*
+>
+> *Account Name:%2*
+>
+> *Account Domain:%3*
+>
+> *Logon ID:%4*
+
+*Configuration Parameters:*
+
+> *Scope:%5*
+>
+> *Context:%6*
+>
+> *Interface:%7*
+>
+> *Function:%8*
+>
+> Property:%9
+
+Change Information:
+
+> Old Value:%10
+>
+> New Value:%11
+
+Return Code:%12
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5136.md b/windows/keep-secure/event-5136.md
new file mode 100644
index 0000000000..3350dca361
--- /dev/null
+++ b/windows/keep-secure/event-5136.md
@@ -0,0 +1,238 @@
+---
+title: 5136(S) A directory service object was modified. (Windows 10)
+description: Describes security event 5136(S) A directory service object was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5136(S): A directory service object was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is modified.
+
+To generate this event, the modified object must have an appropriate entry in [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Write”** action auditing for specific attributes.
+
+For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5136
+ 0
+ 0
+ 14081
+ 0
+ 0x8020000000000000
+
+ 410204
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ {02647639-8626-43CE-AFE6-7AA1AD657739}
+ -
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x32004
+ contoso.local
+ %%14676
+ CN=Sergey,CN=Builtin,DC=contoso,DC=local
+ {4FE80A66-5F93-4F73-B215-68678058E613}
+ user
+ userAccountControl
+ 2.5.5.9
+ 512
+ %%14675
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Directory Service:**
+
+- **Name** \[Type = UnicodeString\]: the name of the Active Directory domain where the modified object is located.
+
+- **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
+
+**Object:**
+
+- **DN** \[Type = UnicodeString\]: distinguished name of the object that was modified.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
+
+ Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
+
+ Event Viewer automatically resolves **GUID** field to real object.
+
+ To translate this GUID, use the following procedure:
+
+ - Perform the following LDAP search using LDP.exe tool:
+
+ - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
+
+ - Filter: (&(objectClass=\*)(objectGUID=GUID))
+
+ - Perform the following operations with the GUID before using it in a search request:
+
+ - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
+
+ - Take first 3 sections a6b34ab5-551b-4626.
+
+ - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
+
+ - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
+
+ - Delete - : b54ab3a61b552646b8ee2b36b3ee6672
+
+ - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
+
+ - Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
+
+ - Scope: Subtree
+
+ - Attributes: objectGUID
+
+
+
+- **Class** \[Type = UnicodeString\]: class of the object that was modified. Some of the common Active Directory object classes:
+
+ - container – for containers.
+
+ - user – for users.
+
+ - group – for groups.
+
+ - domainDNS – for domain object.
+
+ - groupPolicyContainer – for group policy objects.
+
+ For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: ) and navigate to **Active Directory Schema\\Classes**. Or use this document:
+
+**Attribute:**
+
+- **LDAP Display Name** \[Type = UnicodeString\]**:** the object attribute that was modified.
+
+> **Note** [LDAP Display Name](https://msdn.microsoft.com/en-us/library/ms676828(v=vs.85).aspx) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol.
+
+- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes are not represented as objects in the schema, but they are programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined.
+
+| OID | Syntax Name | Description |
+|----------|--------------------------------------------|----------------------------------------------------------|
+| 2.5.5.0 | Undefined | Not a legal syntax. |
+| 2.5.5.1 | Object(DN-DN) | The fully qualified name of an object in the directory. |
+| 2.5.5.2 | String(Object-Identifier) | The object identifier. |
+| 2.5.5.3 | Case-Sensitive String | General String. |
+| 2.5.5.4 | CaseIgnoreString(Teletex) | Differentiates uppercase and lowercase. |
+| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Does not differentiate uppercase and lowercase. |
+| 2.5.5.6 | String(Numeric) | Printable string or IA5-String. |
+| 2.5.5.7 | Object(DN-Binary) | Both character sets are case-sensitive. |
+| 2.5.5.8 | Boolean | A sequence of digits. |
+| 2.5.5.9 | Integer, Enumeration | A distinguished name plus a binary large object. |
+| 2.5.5.10 | String(Octet) | TRUE or FALSE values. |
+| 2.5.5.11 | String(UTC-Time), String(Generalized-Time) | A 32-bit number or enumeration. |
+| 2.5.5.12 | String(Unicode) | A string of bytes. |
+| 2.5.5.13 | Object(Presentation-Address) | UTC Time or Generalized-Time. |
+| 2.5.5.14 | Object(DN-String) | Unicode string. |
+| 2.5.5.15 | String(NT-Sec-Desc) | Presentation address. |
+| 2.5.5.16 | LargeInteger | A DN-String plus a Unicode string. |
+| 2.5.5.17 | String(Sid) | A Microsoft® Windows NT® Security descriptor. |
+
+> Table 10. LDAP Attribute Syntax OIDs.
+
+- **Value** \[Type = UnicodeString\]: the value which was added or deleted, depending on the **Operation\\Type** field.
+
+**Operation:**
+
+- **Type** \[Type = UnicodeString\]**:** type of performed operation.
+
+ - **Value Added** – new value added.
+
+ - **Value Deleted** – value deleted (typically “Value Deleted” is a part of change operation).
+
+
+
+- **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
+
+## Security Monitoring Recommendations
+
+For 5136(S): A directory service object was modified.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor modifications to specific Active Directory objects, monitor for **DN** field with specific object name. For example, we recommend that you monitor all modifications to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object.
+
+- If you need to monitor modifications to specific Active Directory classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all modifications to **domainDNS** class.
+
+- If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name.
+
+- It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
+
diff --git a/windows/keep-secure/event-5137.md b/windows/keep-secure/event-5137.md
new file mode 100644
index 0000000000..892245d530
--- /dev/null
+++ b/windows/keep-secure/event-5137.md
@@ -0,0 +1,185 @@
+---
+title: 5137(S) A directory service object was created. (Windows 10)
+description: Describes security event 5137(S) A directory service object was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5137(S): A directory service object was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is created.
+
+This event only generates if the parent object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5137
+ 0
+ 0
+ 14081
+ 0
+ 0x8020000000000000
+
+ 410737
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ {4EAD68FF-7229-42A4-8C73-AAB57169858B}
+ -
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x32004
+ contoso.local
+ %%14676
+ cn=Win2000,CN=Users,DC=contoso,DC=local
+ {41D5F7AF-64A2-4985-9A4B-70DAAFC7CCE6}
+ computer
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Directory Service:**
+
+- **Name** \[Type = UnicodeString\]: the name of an Active Directory domain, where new object is created.
+
+- **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
+
+**Object:**
+
+- **DN** \[Type = UnicodeString\]: distinguished name of the object that was created.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
+
+ Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
+
+ Event Viewer automatically resolves **GUID** field to real object.
+
+ To translate this GUID, use the following procedure:
+
+ - Perform the following LDAP search using LDP.exe tool:
+
+ - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
+
+ - Filter: (&(objectClass=\*)(objectGUID=GUID))
+
+ - Perform the following operations with the GUID before using it in a search request:
+
+ - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
+
+ - Take first 3 sections a6b34ab5-551b-4626.
+
+ - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
+
+ - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
+
+ - Delete - : b54ab3a61b552646b8ee2b36b3ee6672
+
+ - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
+
+ - Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
+
+ - Scope: Subtree
+
+ - Attributes: objectGUID
+
+- **Class** \[Type = UnicodeString\]: class of the object that was created. Some of the common Active Directory object classes:
+
+ - container – for containers.
+
+ - user – for users.
+
+ - group – for groups.
+
+ - domainDNS – for domain object.
+
+ - groupPolicyContainer – for group policy objects.
+
+ For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document:
+
+**Operation:**
+
+- **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5136](event-5136.md): A directory service object was modified.” and “[5139](event-5139.md): A directory service object was moved.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
+
+## Security Monitoring Recommendations
+
+For 5137(S): A directory service object was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor creation of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all new group policy objects creations: **groupPolicyContainer** class.
+
+- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There is no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.).
+
diff --git a/windows/keep-secure/event-5138.md b/windows/keep-secure/event-5138.md
new file mode 100644
index 0000000000..84e80ff027
--- /dev/null
+++ b/windows/keep-secure/event-5138.md
@@ -0,0 +1,188 @@
+---
+title: 5138(S) A directory service object was undeleted. (Windows 10)
+description: Describes security event 5138(S) A directory service object was undeleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5138(S): A directory service object was undeleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx).
+
+This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5138
+ 0
+ 0
+ 14081
+ 0
+ 0x8020000000000000
+
+ 229336
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ {3E2B5ECF-4C35-4C3F-8D82-B8D6F477D846}
+ -
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x3be49
+ contoso.local
+ %%14676
+ CN=Andrei\\0ADEL:53511188-bc98-4995-9d78-2d40143c9711,CN=Deleted Objects,DC=contoso,DC=local
+ CN=Andrei,CN=Users,DC=contoso,DC=local
+ {53511188-BC98-4995-9D78-2D40143C9711}
+ user
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** name of account that requested that the object be undeleted or restored.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Directory Service:**
+
+- **Name** \[Type = UnicodeString\]: the name of an Active Directory domain, where the object was undeleted.
+
+- **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
+
+**Object:**
+
+- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx) folder, in case if it was restored from it.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **New DN** \[Type = UnicodeString\]: New distinguished name of undeleted object. The Active Directory container to which the object was restored.
+
+- **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
+
+ Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
+
+ Event Viewer automatically resolves **GUID** field to real object.
+
+ To translate this GUID, use the following procedure:
+
+ - Perform the following LDAP search using LDP.exe tool:
+
+ - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
+
+ - Filter: (&(objectClass=\*)(objectGUID=GUID))
+
+ - Perform the following operations with the GUID before using it in a search request:
+
+ - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
+
+ - Take first 3 sections a6b34ab5-551b-4626.
+
+ - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
+
+ - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
+
+ - Delete - : b54ab3a61b552646b8ee2b36b3ee6672
+
+ - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
+
+ - Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
+
+ - Scope: Subtree
+
+ - Attributes: objectGUID
+
+- **Class** \[Type = UnicodeString\]: class of the object that was undeleted. Some of the common Active Directory object classes:
+
+ - container – for containers.
+
+ - user – for users.
+
+ - group – for groups.
+
+ - domainDNS – for domain object.
+
+ - groupPolicyContainer – for group policy objects.
+
+ For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document:
+
+**Operation:**
+
+- **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
+
+## Security Monitoring Recommendations
+
+For 5138(S): A directory service object was undeleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
+
+- It may be a good idea to monitor all undelete events, because the operation is not performed very often. Confirm that there is a reason for the object to be undeleted.
+
diff --git a/windows/keep-secure/event-5139.md b/windows/keep-secure/event-5139.md
new file mode 100644
index 0000000000..7399a33b15
--- /dev/null
+++ b/windows/keep-secure/event-5139.md
@@ -0,0 +1,188 @@
+---
+title: 5139(S) A directory service object was moved. (Windows 10)
+description: Describes security event 5139(S) A directory service object was moved.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5139(S): A directory service object was moved.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is moved.
+
+This event only generates if the destination object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5139
+ 0
+ 0
+ 14081
+ 0
+ 0x8020000000000000
+
+ 409532
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ {67A42C05-A70D-4348-AF19-E883CB1FCA9C}
+ -
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x35867
+ contoso.local
+ %%14676
+ CN=NewUser,CN=Builtin,DC=contoso,DC=local
+ CN=NewUser,CN=Users,DC=contoso,DC=local
+ {06713960-9CC3-4B5D-A594-35883A04F934}
+ user
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “move object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Directory Service:**
+
+- **Name** \[Type = UnicodeString\]: the name of an Active Directory domain, where the object was moved.
+
+- **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
+
+**Object:**
+
+- **Old DN** \[Type = UnicodeString\]: Old distinguished name of moved object.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **New DN** \[Type = UnicodeString\]: New distinguished name of moved object. The Active Directory container to which the object was moved.
+
+- **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
+
+ Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
+
+ Event Viewer automatically resolves **GUID** field to real object.
+
+ To translate this GUID, use the following procedure:
+
+ - Perform the following LDAP search using LDP.exe tool:
+
+ - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
+
+ - Filter: (&(objectClass=\*)(objectGUID=GUID))
+
+ - Perform the following operations with the GUID before using it in a search request:
+
+ - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
+
+ - Take first 3 sections a6b34ab5-551b-4626.
+
+ - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
+
+ - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
+
+ - Delete - : b54ab3a61b552646b8ee2b36b3ee6672
+
+ - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
+
+ - Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
+
+ - Scope: Subtree
+
+ - Attributes: objectGUID
+
+- **Class** \[Type = UnicodeString\]: class of the object that was moved. Some of the common Active Directory object classes:
+
+ - container – for containers.
+
+ - user – for users.
+
+ - group – for groups.
+
+ - domainDNS – for domain object.
+
+ - groupPolicyContainer – for group policy objects.
+
+ For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document:
+
+**Operation:**
+
+- **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5141](event-5141.md): A directory service object was deleted.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
+
+## Security Monitoring Recommendations
+
+For 5139(S): A directory service object was moved.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor movement of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
+
+- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There is no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.).
+
diff --git a/windows/keep-secure/event-5140.md b/windows/keep-secure/event-5140.md
new file mode 100644
index 0000000000..be40b7a2d5
--- /dev/null
+++ b/windows/keep-secure/event-5140.md
@@ -0,0 +1,153 @@
+---
+title: 5140(S, F) A network share object was accessed. (Windows 10)
+description: Describes security event 5140(S, F) A network share object was accessed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5140(S, F): A network share object was accessed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was accessed.
+
+This event generates once per session, when first access attempt was made.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5140
+ 1
+ 0
+ 12808
+ 0
+ 0x8020000000000000
+
+ 268495
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x541f35
+ File
+ 10.0.0.100
+ 49212
+ \\\\\*\\Documents
+ \\??\\C:\\Documents
+ 0x1
+ %%4416
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:***
+
+- 0 - Windows Server 2008, Windows Vista.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Network Information:**
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always “**File**” for this event.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Source Address** \[Type = UnicodeString\]**:** source IP address from which access was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access.
+
+ - 0 for local access attempts.
+
+**Share Information:**
+
+- **Share Name** \[Type = UnicodeString\]**:** the name of accessed network share. The format is: \\\\\*\\SHARE\_NAME.
+
+- **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for accessed share. The format is: \\\\??\\PATH. Can be empty, for example for **Share Name**: \\\\\*\\IPC$.
+
+**Access Request Information:**
+
+- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event.
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
+
+## Security Monitoring Recommendations
+
+For 5140(S, F): A network share object was accessed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event**.** For example, you could monitor share **C$** on domain controllers.
+
+- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
+
+- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**).
+
+- If you need to monitor access attempts to local shares from a specific IP address (“**Network Information\\Source Address”)**, use this event.
+
+- If you need to monitor for specific Access Types (for example, ReadData or WriteData), for all or specific shares (“**Share Name**”), monitor this event for the “**Access Type**.”
+
diff --git a/windows/keep-secure/event-5141.md b/windows/keep-secure/event-5141.md
new file mode 100644
index 0000000000..238b70281d
--- /dev/null
+++ b/windows/keep-secure/event-5141.md
@@ -0,0 +1,196 @@
+---
+title: 5141(S) A directory service object was deleted. (Windows 10)
+description: Describes security event 5141(S) A directory service object was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5141(S): A directory service object was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is deleted.
+
+This event only generates if the deleted object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Delete”** action, auditing for specific objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5141
+ 0
+ 0
+ 14081
+ 0
+ 0x8020000000000000
+
+ 411118
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ {C8A9000C-C618-4EE9-87FF-F852C0564F18}
+ -
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x32004
+ contoso.local
+ %%14676
+ CN=WIN2003,CN=Users,DC=contoso,DC=local
+ {CA15B875-AFB1-4E5A-86B2-96E61DE09110}
+ computer
+ %%14679
+
+
+
+```
+
+***Required Server Roles:*** Active Directory domain controller.
+
+***Minimum OS Version:*** Windows Server 2008.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Directory Service:**
+
+- **Name** \[Type = UnicodeString\]: the name of an Active Directory domain, where the object was deleted.
+
+- **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
+
+**Object:**
+
+- **DN** \[Type = UnicodeString\]: distinguished name of the object that was deleted.
+
+> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
+
+> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
+
+> • DC - domainComponent
+
+> • CN - commonName
+
+> • OU - organizationalUnitName
+
+> • O - organizationName
+
+- **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
+
+ Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
+
+ Event Viewer automatically resolves **GUID** field to real object. For deleted objects **GUID** will be resolved to new destination of object, for example: OU=My\\0ADEL:cc94c0d7-dd53-4061-9791-e53478dbbc3b,CN=Deleted Objects,DC=contoso,DC=local.
+
+ To translate this GUID, use the following procedure:
+
+ - Perform the following LDAP search using LDP.exe tool:
+
+ - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
+
+ - Filter: (&(objectClass=\*)(objectGUID=GUID))
+
+ - Perform the following operations with the GUID before using it in a search request:
+
+ - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
+
+ - Take first 3 sections a6b34ab5-551b-4626.
+
+ - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
+
+ - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
+
+ - Delete - : b54ab3a61b552646b8ee2b36b3ee6672
+
+ - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
+
+ - Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
+
+ - Scope: Subtree
+
+ - Attributes: objectGUID
+
+
+
+- **Class** \[Type = UnicodeString\]: class of the object that was deleted. Some of the common Active Directory object classes:
+
+ - container – for containers.
+
+ - user – for users.
+
+ - group – for groups.
+
+ - domainDNS – for domain object.
+
+ - groupPolicyContainer – for group policy objects.
+
+ For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document:
+
+**Operation:**
+
+- **Tree Delete** \[Type = UnicodeString\]**:**
+
+ - **Yes** – “Delete Subtree” operation was performed. It happens, for example, if “Use Delete Subtree server control” check box was checked during delete operation using Active Directory Users and Computers management console.
+
+ - **No** – delete operation was performed without “Delete Subtree” server control.
+
+
+
+- **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
+
+## Security Monitoring Recommendations
+
+For 5141(S): A directory service object was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class.
+
+- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion.
+
diff --git a/windows/keep-secure/event-5142.md b/windows/keep-secure/event-5142.md
new file mode 100644
index 0000000000..418a6387f7
--- /dev/null
+++ b/windows/keep-secure/event-5142.md
@@ -0,0 +1,106 @@
+---
+title: 5142(S) A network share object was added. (Windows 10)
+description: Describes security event 5142(S) A network share object was added.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5142(S): A network share object was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was added.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5142
+ 0
+ 0
+ 12808
+ 0
+ 0x8020000000000000
+
+ 268462
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x38d12
+ \\\\\*\\Documents
+ C:\\Documents
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “add network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add network share object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Share Information:**
+
+- **Share Name** \[Type = UnicodeString\]**:** the name of the added share object. The format is: \\\\\*\\SHARE\_NAME.
+
+- **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for the added share object. The format is: \\\\??\\PATH.
+
+## Security Monitoring Recommendations
+
+For 5142(S): A network share object was added.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event**.** For example, you could monitor domain controllers.
+
+- We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information.
+
diff --git a/windows/keep-secure/event-5143.md b/windows/keep-secure/event-5143.md
new file mode 100644
index 0000000000..30c4977b0c
--- /dev/null
+++ b/windows/keep-secure/event-5143.md
@@ -0,0 +1,259 @@
+---
+title: 5143(S) A network share object was modified. (Windows 10)
+description: Describes security event 5143(S) A network share object was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5143(S): A network share object was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was modified.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5143
+ 0
+ 0
+ 12808
+ 0
+ 0x8020000000000000
+
+ 268483
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x38d12
+ Directory
+ \\\\\*\\Documents
+ C:\\Documents
+ N/A
+ N/A
+ 0xffffffff
+ 0xffffffff
+ 0x800
+ 0x800
+ O:S-1-5-21-3457937927-2839227994-823803824-1104G:DAD:(A;OICI;FA;;;BA)(A;OICI;FA;;;WD)
+ O:BAG:DAD:(D;;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICI;FA;;;WD)(A;OICI;FA;;;BA)
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify network share object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Share Information:**
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was modified. Always “**Directory**” for this event.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Share Name** \[Type = UnicodeString\]**:** the name of the modified share object. The format is: \\\\\*\\SHARE\_NAME
+
+- **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for the added share object. The format is: \\\\??\\PATH. Can be empty, for example for **Share Name**: \\\\\*\\IPC$.
+
+
+
+- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+
+- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+
+- **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
+
+- **New Maxusers** \[Type = HexInt32\]**:** new hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
+
+- **Old ShareFlags** \[Type = HexInt32\]: old hexadecimal value of “**Offline Settings**” caching settings window flags.
+
+
+
+- **New ShareFlags** \[Type = HexInt32\]: new hexadecimal value of “**Offline Settings**” caching settings window flags.
+
+- **Old SD** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for network share security descriptor.
+
+- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: , .
+
+## Security Monitoring Recommendations
+
+For 5143(S): A network share object was modified.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event**.** For example, you could monitor all changes to the SYSVOL share on domain controllers.
+
diff --git a/windows/keep-secure/event-5144.md b/windows/keep-secure/event-5144.md
new file mode 100644
index 0000000000..d74e6e0c0e
--- /dev/null
+++ b/windows/keep-secure/event-5144.md
@@ -0,0 +1,106 @@
+---
+title: 5144(S) A network share object was deleted. (Windows 10)
+description: Describes security event 5144(S) A network share object was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5144(S): A network share object was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time a network share object is deleted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5144
+ 0
+ 0
+ 12808
+ 0
+ 0x8020000000000000
+
+ 268368
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x38d12
+ \\\\\*\\Documents
+ C:\\Documents
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete network share object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Share Information:**
+
+- **Share Name** \[Type = UnicodeString\]**:** the name of the deleted share object. The format is: \\\\\*\\SHARE\_NAME
+
+- **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for the deleted share object. The format is: \\\\??\\PATH.
+
+## Security Monitoring Recommendations
+
+For 5144(S): A network share object was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.**
+
+- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers**.** For example, you could monitor file shares on domain controllers.
+
diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md
new file mode 100644
index 0000000000..1370cc6fe1
--- /dev/null
+++ b/windows/keep-secure/event-5145.md
@@ -0,0 +1,323 @@
+---
+title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. (Windows 10)
+description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5145(S, F): A network share object was checked to see whether client can be granted desired access.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Detailed File Share](audit-detailed-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object (file or folder) was accessed.
+
+*Important*: Failure events are generated only when access is denied at the file share level. No events are generated if access was denied on the file system (NTFS) level.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5145
+ 0
+ 0
+ 12811
+ 0
+ 0x8020000000000000
+
+ 267092
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x38d34
+ File
+ fe80::31ea:6c3c:f40d:1973
+ 56926
+ \\\\\*\\Documents
+ \\??\\C:\\Documents
+ Bginfo.exe
+ 0x100081
+ %%1541 %%4416 %%4423
+ %%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Network Information:**
+
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always “**File**” for this event.
+
+ The following table contains the list of the most common **Object Types**:
+
+| Directory | Event | Timer | Device |
+|-------------------------|--------------|----------------------|--------------|
+| Mutant | Type | File | Token |
+| Thread | Section | WindowStation | DebugObject |
+| FilterCommunicationPort | EventPair | Driver | IoCompletion |
+| Controller | SymbolicLink | WmiGuid | Process |
+| Profile | Desktop | KeyedEvent | Adapter |
+| Key | WaitablePort | Callback | Semaphore |
+| Job | Port | FilterConnectionPort | ALPC Port |
+
+- **Source Address** \[Type = UnicodeString\]**:** source IP address from which access was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access.
+
+ - 0 for local access attempts.
+
+**Share Information:**
+
+- **Share Name** \[Type = UnicodeString\]**:** the name of accessed network share. The format is: \\\\\*\\SHARE\_NAME.
+
+- **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for accessed share. The format is: \\\\??\\PATH. Can be empty, for example for **Share Name**: \\\\\*\\IPC$.
+
+- **Relative Target Name** \[Type = UnicodeString\]**:** relative name of the accessed target file or folder. This file-path is relative to the network share. If access was requested for the share itself, then this field appears as “**\\**”.
+
+**Access Request Information:**
+
+- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights.
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
+
+## Table of file access codes
+
+| Access | Hex Value, Schema Value | Description |
+|-----------------------------------------------------------|----------------------------|---------------|
+| ReadData (or ListDirectory) | 0x1, %%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data. **ListDirectory -** For a directory, the right to list the contents of the directory. |
+| WriteData (or AddFile) | 0x2, %%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**). **AddFile -** For a directory, the right to create a file in the directory. |
+| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4, %%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). **AddSubdirectory -** For a directory, the right to create a subdirectory. **CreatePipeInstance -** For a named pipe, the right to create a pipe. |
+| ReadEA | 0x8, %%4419 | The right to read extended file attributes. |
+| WriteEA | 0x10, %%4420 | The right to write extended file attributes. |
+| Execute/Traverse | 0x20, %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter. **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| DeleteChild | 0x40, %%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
+| ReadAttributes | 0x80, %%4423 | The right to read file attributes. |
+| WriteAttributes | 0x100, %%4424 | The right to write file attributes. |
+| DELETE | 0x10000, %%1537 | The right to delete the object. |
+| READ\_CONTROL | 0x20000, %%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
+| WRITE\_DAC | 0x40000, %%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
+| WRITE\_OWNER | 0x80000, %%1540 | The right to change the owner in the object's security descriptor |
+| SYNCHRONIZE | 0x100000, %%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
+| ACCESS\_SYS\_SEC | 0x1000000, %%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
+
+> Table 13. File access codes.
+
+**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:
+
+REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
+
+- REQUESTED\_ACCESS – the name of requested access. See [Table of file access codes](#table-of-file-access-codes), earlier in this topic.
+
+- RESULT:
+
+ - Granted by – if access was granted.
+
+ - Denied by – if access was denied.
+
+- ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below.
+
+## SDDL values for Access Control Entry
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: , .
+
+## Security Monitoring Recommendations
+
+For 5145(S, F): A network share object was checked to see whether client can be granted desired access.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
+
+- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**).
+
+- If you have critical files or folders on specific network shares, for which you need to monitor access attempts (Success and Failure), monitor for specific **Share Information\\Share Name** and **Share Information\\Relative Target Name**.
+
+- If you have domain or local accounts that should only be able to access a specific list of shared files or folders, you can monitor for access attempts outside the allowed list.
+
+- We recommend that you monitor for these **Access Request Information\\Accesses** rights (especially for Failure):
+
+ - WriteData (or AddFile)
+
+ - AppendData (or AddSubdirectory or CreatePipeInstance)
+
+ - WriteEA
+
+ - DeleteChild
+
+ - WriteAttributes
+
+ - DELETE
+
+ - WRITE\_DAC
+
+ - WRITE\_OWNER
+
+
+
diff --git a/windows/keep-secure/event-5148.md b/windows/keep-secure/event-5148.md
new file mode 100644
index 0000000000..7751cd9686
--- /dev/null
+++ b/windows/keep-secure/event-5148.md
@@ -0,0 +1,41 @@
+---
+title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10)
+description: Describes security event 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+In most circumstances, this event occurs very rarely. It is designed to be generated when an ICPM DoS attack starts or was detected.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Schema:***
+
+*The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.*
+
+*Network Information:*
+
+> *Type:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of ICMP DoS attack or, among other things, hardware or network device related problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated.
+
diff --git a/windows/keep-secure/event-5149.md b/windows/keep-secure/event-5149.md
new file mode 100644
index 0000000000..24b3f6ab89
--- /dev/null
+++ b/windows/keep-secure/event-5149.md
@@ -0,0 +1,43 @@
+---
+title: 5149(F) The DoS attack has subsided and normal processing is being resumed. (Windows 10)
+description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5149(F): The DoS attack has subsided and normal processing is being resumed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+In most circumstances, this event occurs very rarely. It is designed to be generated when an ICPM DoS attack ended.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Schema:***
+
+*The DoS attack has subsided and normal processing is being resumed.*
+
+*Network Information:*
+
+> *Type:%1*
+>
+> *Packets Discarded:%2*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of ICMP DoS attack or, among other things, hardware or network device related problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated.
+
diff --git a/windows/keep-secure/event-5150.md b/windows/keep-secure/event-5150.md
new file mode 100644
index 0000000000..10ae5b7bcb
--- /dev/null
+++ b/windows/keep-secure/event-5150.md
@@ -0,0 +1,61 @@
+---
+title: 5150(-) The Windows Filtering Platform blocked a packet. (Windows 10)
+description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5150(-): The Windows Filtering Platform blocked a packet.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if the Windows Filtering Platform [MAC filter](https://msdn.microsoft.com/en-us/library/windows/hardware/hh440262(v=vs.85).aspx) blocked a packet.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Schema:***
+
+*The Windows Filtering Platform has blocked a packet.*
+
+*Network Information:*
+
+> *Direction:%1*
+>
+> *Source Address:%2*
+>
+> *Destination Address:%3*
+>
+> *EtherType:%4*
+>
+> *MediaType:%5*
+>
+> *InterfaceType:%6*
+>
+> *VlanTag:%7*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%8*
+>
+> *Layer Name:%9*
+>
+> *Layer Run-Time ID:%10 *
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012, Windows 8.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5151.md b/windows/keep-secure/event-5151.md
new file mode 100644
index 0000000000..d1221cb8df
--- /dev/null
+++ b/windows/keep-secure/event-5151.md
@@ -0,0 +1,61 @@
+---
+title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
+description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if a more restrictive Windows Filtering Platform [MAC filter](https://msdn.microsoft.com/en-us/library/windows/hardware/hh440262(v=vs.85).aspx) has blocked a packet.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Schema:***
+
+*A more restrictive Windows Filtering Platform filter has blocked a packet.*
+
+*Network Information:*
+
+> *Direction:%1*
+>
+> *Source Address:%2*
+>
+> *Destination Address:%3*
+>
+> *EtherType:%4*
+>
+> *MediaType:%5*
+>
+> *InterfaceType:%6*
+>
+> *VlanTag:%7*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%8*
+>
+> *Layer Name:%9*
+>
+> *Layer Run-Time ID:%10 *
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012, Windows 8.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5152.md b/windows/keep-secure/event-5152.md
new file mode 100644
index 0000000000..af74957188
--- /dev/null
+++ b/windows/keep-secure/event-5152.md
@@ -0,0 +1,185 @@
+---
+title: 5152(F) The Windows Filtering Platform blocked a packet. (Windows 10)
+description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5152(F): The Windows Filtering Platform blocked a packet.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a network packet.
+
+This event is generated for every received network packet.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5152
+ 0
+ 0
+ 12809
+ 0
+ 0x8010000000000000
+
+ 321323
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 4556
+ \\device\\harddiskvolume2\\documents\\listener.exe
+ %%14592
+ 10.0.0.100
+ 49278
+ 10.0.0.10
+ 3333
+ 6
+ 0
+ %%14610
+ 44
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Application Information**:
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process to which blocked network packet was sent. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of blocked connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the packet.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the packet.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which packet was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to send the packet.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the packet.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5152(F): The Windows Filtering Platform blocked a packet.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that **Source Address** is one of the addresses assigned to the computer.
+
+- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5153.md b/windows/keep-secure/event-5153.md
new file mode 100644
index 0000000000..e02ea78a1e
--- /dev/null
+++ b/windows/keep-secure/event-5153.md
@@ -0,0 +1,59 @@
+---
+title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
+description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+***Event Schema:***
+
+*A more restrictive Windows Filtering Platform filter has blocked a packet.*
+
+*Application Information:*
+
+> *Process ID:%1*
+>
+> *Application Name:%2*
+
+*Network Information:*
+
+> *Source Address:%3*
+>
+> *Source Port:%4*
+>
+> *Protocol:%5*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%6*
+>
+> *Layer Name:%7*
+>
+> *Layer Run-Time ID:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5154.md b/windows/keep-secure/event-5154.md
new file mode 100644
index 0000000000..12255300cf
--- /dev/null
+++ b/windows/keep-secure/event-5154.md
@@ -0,0 +1,144 @@
+---
+title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10)
+description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to listen on a port.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5154
+ 0
+ 0
+ 12810
+ 0
+ 0x8020000000000000
+
+ 287929
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 4152
+ \\device\\harddiskvolume2\\documents\\listener.exe
+ 0.0.0.0
+ 4444
+ 6
+ 0
+ %%14609
+ 40
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Application Information**:
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application requested to listen on the port.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number which was requested for listening by application.
+
+- **Protocol** \[Type = UInt32\]: protocol number. For example:
+
+ - 6 – TCP.
+
+ - 17 – UDP.
+
+ More information about possible values for this field: .
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+
+- If you have a “whitelist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
+
+- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
+
+- If a certain application is allowed to listen only on a specific IP address, monitor this event for **“Application Name”** and **“Network Information\\Source Address**.**”**
+
+- If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-5155.md b/windows/keep-secure/event-5155.md
new file mode 100644
index 0000000000..369db60297
--- /dev/null
+++ b/windows/keep-secure/event-5155.md
@@ -0,0 +1,61 @@
+---
+title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10)
+description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself.
+
+You can add your own filters using the WFP APIs to block listen to reproduce this event: .
+
+There is no event example in this document.
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Schema:***
+
+*The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.*
+
+*Application Information:*
+
+> *Process ID:%1*
+>
+> *Application Name:%2*
+
+*Network Information:*
+
+> *Source Address:%3*
+>
+> *Source Port:%4*
+>
+> *Protocol:%5*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%6*
+>
+> *Layer Name:%7*
+>
+> *Layer Run-Time ID:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you can use this event for troubleshooting and monitoring.
+
diff --git a/windows/keep-secure/event-5156.md b/windows/keep-secure/event-5156.md
new file mode 100644
index 0000000000..faa073a9c3
--- /dev/null
+++ b/windows/keep-secure/event-5156.md
@@ -0,0 +1,185 @@
+---
+title: 5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10)
+description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5156(S): The Windows Filtering Platform has permitted a connection.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has allowed a connection.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5156
+ 1
+ 0
+ 12810
+ 0
+ 0x8020000000000000
+
+ 308129
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 4556
+ \\device\\harddiskvolume2\\documents\\listener.exe
+ %%14592
+ 10.0.0.10
+ 3333
+ 10.0.0.100
+ 49278
+ 6
+ 70201
+ %%14610
+ 44
+ S-1-0-0
+ S-1-0-0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Application Information**:
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of allowed connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the connection.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which connection was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allowed the connection.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5156(S): The Windows Filtering Platform has permitted a connection.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5157.md b/windows/keep-secure/event-5157.md
new file mode 100644
index 0000000000..b66541d467
--- /dev/null
+++ b/windows/keep-secure/event-5157.md
@@ -0,0 +1,185 @@
+---
+title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10)
+description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5157(F): The Windows Filtering Platform has blocked a connection.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a connection.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5157
+ 1
+ 0
+ 12810
+ 0
+ 0x8010000000000000
+
+ 304390
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 4556
+ \\device\\harddiskvolume2\\documents\\listener.exe
+ %%14592
+ 10.0.0.10
+ 3333
+ 10.0.0.100
+ 49218
+ 6
+ 110398
+ %%14610
+ 44
+ S-1-0-0
+ S-1-0-0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Application Information**:
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to create the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of blocked connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the connection.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which connection was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the connection.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5157(F): The Windows Filtering Platform has blocked a connection.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5158.md b/windows/keep-secure/event-5158.md
new file mode 100644
index 0000000000..2e9b42e9b0
--- /dev/null
+++ b/windows/keep-secure/event-5158.md
@@ -0,0 +1,156 @@
+---
+title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10)
+description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to bind to a local port.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5158
+ 0
+ 0
+ 12810
+ 0
+ 0x8020000000000000
+
+ 308122
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 4556
+ \\device\\harddiskvolume2\\documents\\listener.exe
+ 0.0.0.0
+ 3333
+ 6
+ 0
+ %%14608
+ 36
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Application Information**:
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bind the port.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to bind the port. By default Windows firewall won't prevent a port from being binded by an application and if this application doesn’t match any filters you will get value 0 in this field.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 6 or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5159.md b/windows/keep-secure/event-5159.md
new file mode 100644
index 0000000000..02939e687e
--- /dev/null
+++ b/windows/keep-secure/event-5159.md
@@ -0,0 +1,59 @@
+---
+title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10)
+description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Schema:***
+
+*The Windows Filtering Platform has blocked a bind to a local port.*
+
+*Application Information:*
+
+> *Process ID:%1*
+>
+> *Application Name:%2*
+
+*Network Information:*
+
+> *Source Address:%3*
+>
+> *Source Port:%4*
+>
+> *Protocol:%5*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%6*
+>
+> *Layer Name:%7*
+>
+> *Layer Run-Time ID:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5168.md b/windows/keep-secure/event-5168.md
new file mode 100644
index 0000000000..44c9fe20cc
--- /dev/null
+++ b/windows/keep-secure/event-5168.md
@@ -0,0 +1,119 @@
+---
+title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
+description: Describes security event 5168(F) SPN check for SMB/SMB2 failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5168(F): SPN check for SMB/SMB2 failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates when SMB SPN check fails.
+
+It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](https://technet.microsoft.com/en-us/library/jj852272.aspx)” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5168
+ 0
+ 0
+ 12808
+ 0
+ 0x8010000000000000
+
+ 268946
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0xd0cd4
+ N/A
+ 0xc0000022
+ CONTOSO;contoso.local;DC01.contoso.local;DC01;LocalHost;
+ N/A
+ 127.0.0.1;::1;10.0.0.10;;fe80::31ea:6c3c:f40d:1973;;fe80::5efe:10.0.0.10;
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account for which SPN check operation was failed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which SPN check operation was failed.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**SPN**:
+
+- **SPN Name** \[Type = UnicodeString\]: SPN which was used to access the server. If SPN was not provided, then the value will be “N/A”.
+
+> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
+
+- **Error Code** \[Type = HexInt32\]: hexadecimal error code, for example “0xC0000022” = STATUS\_ACCESS\_DENIED. You can find description for all SMB error codes here: .
+
+**Server Information**:
+
+- **Server Names** \[Type = UnicodeString\]: information about possible server names to use to access the target server (NETBIOS, DNS, localhost, etc.).
+
+- **Configured Names** \[Type = UnicodeString\]: information about the names which were provided for validation. If no information was provided the value will be “**N/A**”.
+
+- **IP Addresses** \[Type = UnicodeString\]: information about possible IP addresses to use to access the target server (IPv4, IPv6).
+
+## Security Monitoring Recommendations
+
+For 5168(F): SPN check for SMB/SMB2 failed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring for any [5168](event-5168.md) event, because it can be a sign of a configuration issue or a malicious authentication attempt.
+
diff --git a/windows/keep-secure/event-5376.md b/windows/keep-secure/event-5376.md
new file mode 100644
index 0000000000..16034db84c
--- /dev/null
+++ b/windows/keep-secure/event-5376.md
@@ -0,0 +1,100 @@
+---
+title: 5376(S) Credential Manager credentials were backed up. (Windows 10)
+description: Describes security event 5376(S) Credential Manager credentials were backed up.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5376(S): Credential Manager credentials were backed up.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time the user (**Subject**) successfully backs up the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+
+Typically this can be done by clicking “Back up Credentials” in Credential Manager in the Control Panel.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5376
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175779
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d7c
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that performed the backup operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the backup operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+## Security Monitoring Recommendations
+
+For 5376(S): Credential Manager credentials were backed up.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Every [5376](event-5376.md) event should be recorded for all local and domain accounts, because this action (back up Credential Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.
+
diff --git a/windows/keep-secure/event-5377.md b/windows/keep-secure/event-5377.md
new file mode 100644
index 0000000000..c50b35c2f4
--- /dev/null
+++ b/windows/keep-secure/event-5377.md
@@ -0,0 +1,100 @@
+---
+title: 5377(S) Credential Manager credentials were restored from a backup. (Windows 10)
+description: Describes security event 5377(S) Credential Manager credentials were restored from a backup.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5377(S): Credential Manager credentials were restored from a backup.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time the user (**Subject**) successfully restores the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+
+Typically this can be done by clicking “Restore Credentials” in Credential Manager in the Control Panel.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5377
+ 0
+ 0
+ 13824
+ 0
+ 0x8020000000000000
+
+ 175780
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x30d7c
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that performed the restore operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the restore operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+## Security Monitoring Recommendations
+
+For 5377(S): Credential Manager credentials were restored from a backup.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Every [5377](event-5377.md) event should be recorded for all local and domain accounts, because this action (restore Credential Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or malicious activity.
+
diff --git a/windows/keep-secure/event-5378.md b/windows/keep-secure/event-5378.md
new file mode 100644
index 0000000000..066229425a
--- /dev/null
+++ b/windows/keep-secure/event-5378.md
@@ -0,0 +1,122 @@
+---
+title: 5378(F) The requested credentials delegation was disallowed by policy. (Windows 10)
+description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5378(F): The requested credentials delegation was disallowed by policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates requested [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) credentials delegation was disallowed by [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation policy.
+
+It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation for [WinRM](https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx) [double-hop](https://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx) session was not set properly.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5378
+ 0
+ 0
+ 12551
+ 0
+ 0x8010000000000000
+
+ 1198733
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x2b1e04
+ CREDSSP
+ dadmin@contoso
+ WSMAN/dc01.contoso.local
+ %%8098
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested credentials delegation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested credentials delegation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Credential Delegation Information:**
+
+- **Security Package** \[Type = UnicodeString\]: the name of [Security Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380501(v=vs.85).aspx) which was used. Always **CREDSSP** for this event.
+
+- **User's UPN** \[Type = UnicodeString\]: [UPN](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx) of the account for which delegation was requested.
+
+- **Target Server** \[Type = UnicodeString\]: SPN of the target service for which delegation was requested.
+
+> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
+
+- **Credential Type** \[Type = UnicodeString\]: types of credentials which were presented for delegation:
+
+| Credentials Type | Description |
+|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| Default credentials | The credentials obtained when the user first logs on to Windows. |
+| Fresh credentials | The credentials that the user is prompted for when executing an application. |
+| Saved credentials | The credentials that are saved using [Credential Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374792(v=vs.85).aspx). |
+
+## Security Monitoring Recommendations
+
+For 5378(F): The requested credentials delegation was disallowed by policy.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have defined CredSSP delegation policy, then this event will show you policy violations. We recommend collecting these events and investigating every policy violation.
+
+- This event also can be used for CredSSP delegation troubleshooting.
+
diff --git a/windows/keep-secure/event-5447.md b/windows/keep-secure/event-5447.md
new file mode 100644
index 0000000000..f262a70474
--- /dev/null
+++ b/windows/keep-secure/event-5447.md
@@ -0,0 +1,86 @@
+---
+title: 5447(S) A Windows Filtering Platform filter has been changed. (Windows 10)
+description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5447(S): A Windows Filtering Platform filter has been changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time a [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) filter has been changed.
+
+It typically generates during Group Policy update procedures.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5447
+ 0
+ 0
+ 13573
+ 0
+ 0x8020000000000000
+
+ 1060216
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 284
+ S-1-5-19
+ NT AUTHORITY\\LOCAL SERVICE
+ {DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}
+ Microsoft Corporation
+ %%16385
+ {91334E6D-FFAB-40F1-8C43-5554965C228D}
+ Port Scanning Prevention Filter
+ %%16388
+ 100100
+ {AC4A9833-F69D-4648-B261-6DC84835EF39}
+ Inbound Transport v4 Discard Layer
+ 13
+ 13835058055315718144
+ Condition ID: {632ce23b-5167-435c-86d7-e903684aa80c} Match value: No flags set Condition value: 0x00000003
+ %%16391
+ {EDA08606-2494-4D78-89BC-67837C03B969}
+ WFP Built-in Silent Drop Transport v4 Discard Layer Callout
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+For 5447(S): A Windows Filtering Platform filter has been changed.
+
+- This event mainly used for Windows Filtering Platform troubleshooting and typically has little to no security relevance.
+
diff --git a/windows/keep-secure/event-5632.md b/windows/keep-secure/event-5632.md
new file mode 100644
index 0000000000..0116808357
--- /dev/null
+++ b/windows/keep-secure/event-5632.md
@@ -0,0 +1,140 @@
+---
+title: 5632(S, F) A request was made to authenticate to a wireless network. (Windows 10)
+description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5632(S, F): A request was made to authenticate to a wireless network.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wireless network.
+
+It typically generates when network adapter connects to new wireless network.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5632
+ 1
+ 0
+ 12551
+ 0
+ 0x8020000000000000
+
+ 44113845
+
+
+ Security
+ XXXXXXX.redmond.corp.microsoft.com
+
+
+-
+ Nokia
+ host/XXXXXXXX.redmond.corp.microsoft.com
+ -
+ -
+ 0x0
+ 18:64:72:F3:33:91
+ 02:1A:C5:14:59:C9
+ {2BB33827-6BB6-48DB-8DE6-DB9E0B9F9C9B}
+ 0x0
+ The operation was successful.
+ 0x0
+ 0x0
+
+ 0x0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = UnicodeString\]**:** User Principal Name (UPN) or another type of account identifier for which 802.1x authentication request was made.
+
+> **Note** [User principal name](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Network Information:**
+
+- **Name (SSID)** \[Type = UnicodeString\]**:** SSID of the wireless network to which authentication request was sent.
+
+> **Note** A **service set identifier (SSID)** is a sequence of characters that uniquely names a wireless local area network (WLAN). An SSID is sometimes referred to as a "network name." This name allows stations to connect to the desired network when multiple independent networks operate in the same physical area.
+
+- **Interface GUID** \[Type = GUID\]**:** GUID of the network interface which was used for authentication request.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+You can see interface’s GUID using the following commands:
+
+- “netsh lan show interfaces” – for wired interfaces.
+
+- “netsh wlan show interfaces” – for wireless interfaces.
+
+
+
+- **Local MAC Address** \[Type = UnicodeString\]**:** local interface’s MAC-address.
+
+- **Peer MAC Address** \[Type = UnicodeString\]**:** peer’s (typically – access point) MAC-address.
+
+**Additional Information:**
+
+- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: , .
+
+- **Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document.
+
+- **EAP Reason Code** \[Type = HexInt32\]**:** there is no information about this field in this document. See additional information here: .
+
+- **EAP Root Cause String** \[Type = UnicodeString\]**:** there is no information about this field in this document.
+
+- **EAP Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document.
+
+## Security Monitoring Recommendations
+
+For 5632(S, F): A request was made to authenticate to a wireless network.
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5633.md b/windows/keep-secure/event-5633.md
new file mode 100644
index 0000000000..bd4d485c9c
--- /dev/null
+++ b/windows/keep-secure/event-5633.md
@@ -0,0 +1,112 @@
+---
+title: 5633(S, F) A request was made to authenticate to a wired network. (Windows 10)
+description: Describes security event 5633(S, F) A request was made to authenticate to a wired network.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5633(S, F): A request was made to authenticate to a wired network.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wired network.
+
+It typically generates when network adapter connects to new wired network.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5633
+ 0
+ 0
+ 12551
+ 0
+ 0x8020000000000000
+
+ 1198715
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ Microsoft Hyper-V Network Adapter
+ -
+ -
+ -
+ 0x0
+ 0x70003
+ The network does not support authentication
+ 0x0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = UnicodeString\]**:** User Principal Name (UPN) of account for which 802.1x authentication request was made.
+
+> **Note** [User principal name](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com.
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Interface:**
+
+- **Name** \[Type = UnicodeString\]: the name (description) of network interface which was used for authentication request. You can get the list of all available network adapters using “**ipconfig /all**” command. See “Description” row for every network adapter:
+
+
+
+**Additional Information:**
+
+- **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: , .
+
+- **Error Code** \[Type = HexInt32\]: unique [EAP error code](https://msdn.microsoft.com/en-us/library/windows/desktop/aa813691(v=vs.85).aspx).
+
+## Security Monitoring Recommendations
+
+For 5633(S, F): A request was made to authenticate to a wired network.
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5712.md b/windows/keep-secure/event-5712.md
new file mode 100644
index 0000000000..0b590700ce
--- /dev/null
+++ b/windows/keep-secure/event-5712.md
@@ -0,0 +1,66 @@
+---
+title: 5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10)
+description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5712(S): A Remote Procedure Call (RPC) was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+It appears that this event never occurs.
+
+***Subcategory:*** [Audit RPC Events](audit-rpc-events.md)
+
+***Event Schema:***
+
+*A Remote Procedure Call (RPC) was attempted.*
+
+*Subject:*
+
+> *SID:%1*
+>
+> *Name:%2*
+>
+> *Account Domain:%3*
+>
+> *LogonId:%4*
+
+*Process Information:*
+
+> *PID:%5
+> Name:%6*
+
+*Network Information:*
+
+> *Remote IP Address:%7*
+>
+> *Remote Port:%8*
+
+*RPC Attributes:*
+
+> *Interface UUID:%9*
+>
+> *Protocol Sequence:%10*
+>
+> *Authentication Service:%11*
+>
+> *Authentication Level:%12*
+
+***Required Server Roles:*** no information.
+
+***Minimum OS Version:*** no information.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5888.md b/windows/keep-secure/event-5888.md
new file mode 100644
index 0000000000..4e35780a9c
--- /dev/null
+++ b/windows/keep-secure/event-5888.md
@@ -0,0 +1,157 @@
+---
+title: 5888(S) An object in the COM+ Catalog was modified. (Windows 10)
+description: Describes security event 5888(S) An object in the COM+ Catalog was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5888(S): An object in the COM+ Catalog was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when the object in [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was modified.
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5888
+ 0
+ 0
+ 12290
+ 0
+ 0x8020000000000000
+
+ 344994
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 222443
+ Applications
+ ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}
+ Name = 'COMApp' -> 'COMApp-New' cCOL\_SecurityDescriptor = '' -> ''
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify/change object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify/change object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **COM+ Catalog Collection** \[Type = UnicodeString\]: the name of COM+ collection in which the object was modified. Here is the list of possible collection values with descriptions:
+
+| Collection | Description |
+|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [ApplicationCluster](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. |
+| [ApplicationInstances](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. |
+| [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. |
+| [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. |
+| [ComputerList](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
+| [DCOMProtocols](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
+| [ErrorInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. |
+| [EventClassesForIID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. |
+| [FilesForImport](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. |
+| [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
+| [InterfacesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. |
+| [LegacyComponents](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. |
+| [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. |
+| [LocalComputer](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
+| [MethodsForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. |
+| [Partitions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. |
+| [PartitionUsers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. |
+| [PropertyInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. |
+| [PublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
+| [RelatedCollectionInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. |
+| [Roles](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. |
+| [RolesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. |
+| [RolesForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. |
+| [RolesForMethod](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. |
+| [RolesForPartition](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. |
+| [Root](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. |
+| [SubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
+| [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) collection. |
+| [TransientPublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
+| [TransientSubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
+| [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. |
+| [UsersInPartitionRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. |
+| [UsersInRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. |
+| [WOWInprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
+| [WOWLegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
+
+- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the modified object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that:
+
+ - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection.
+
+ - **AppPartitionID** - A GUID representing the application partition ID.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Object Properties Modified** \[Type = UnicodeString\]: the list of object’s (**Object Name**) properties which were modified.
+
+ The items have the following format: Property\_Name = ‘OLD\_VALUE’ -> ‘NEW\_VALUE’
+
+ Check description for specific **COM+ Catalog Collection** to see the list of object’s properties and descriptions.
+
+## Security Monitoring Recommendations
+
+For 5888(S): An object in the COM+ Catalog was modified.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a specific COM+ object for which you need to monitor all modifications, monitor all [5888](event-5888.md) events with the corresponding **Object Name**.
+
diff --git a/windows/keep-secure/event-5889.md b/windows/keep-secure/event-5889.md
new file mode 100644
index 0000000000..7e24a156f3
--- /dev/null
+++ b/windows/keep-secure/event-5889.md
@@ -0,0 +1,157 @@
+---
+title: 5889(S) An object was deleted from the COM+ Catalog. (Windows 10)
+description: Describes security event 5889(S) An object was deleted from the COM+ Catalog.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5889(S): An object was deleted from the COM+ Catalog.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when the object in the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was deleted.
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5889
+ 0
+ 0
+ 12290
+ 0
+ 0x8020000000000000
+
+ 344998
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 222443
+ Applications
+ ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}
+ Name = COMApp-New ApplicationProxyServerName = ProcessType = 2 CommandLine = ServiceName = RunAsUserType = 1 Identity = Interactive User Description = IsSystem = N Authentication = 4 ShutdownAfter = 3 RunForever = N Password = \*\*\*\*\*\*\*\* Activation = Local Changeable = Y Deleteable = Y CreatedBy = AccessChecksLevel = 1 ApplicationAccessChecksEnabled = 1 cCOL\_SecurityDescriptor = ImpersonationLevel = 3 AuthenticationCapability = 64 CRMEnabled = 0 3GigSupportEnabled = 0 QueuingEnabled = 0 QueueListenerEnabled = N EventsEnabled = 1 ProcessFlags = 0 ThreadMax = 0 ApplicationProxy = 0 CRMLogFile = DumpEnabled = 0 DumpOnException = 0 DumpOnFailfast = 0 MaxDumpCount = 5 DumpPath = %systemroot%\\system32\\com\\dmp IsEnabled = 1 AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70} ConcurrentApps = 1 RecycleLifetimeLimit = 0 RecycleCallLimit = 0 RecycleActivationLimit = 0 RecycleMemoryLimit = 0 RecycleExpirationTimeout = 15 QCListenerMaxThreads = 0 QCAuthenticateMsgs = 0 ApplicationDirectory = SRPTrustLevel = 262144 SRPEnabled = 0 SoapActivated = 0 SoapVRoot = SoapMailTo = SoapBaseUrl = Replicable = 1
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **COM+ Catalog Collection** \[Type = UnicodeString\]: the name of COM+ collection in which COM+ object was deleted. Here is the list of possible collection values with descriptions:
+
+| Collection | Description |
+|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [ApplicationCluster](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. |
+| [ApplicationInstances](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. |
+| [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. |
+| [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. |
+| [ComputerList](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
+| [DCOMProtocols](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
+| [ErrorInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. |
+| [EventClassesForIID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. |
+| [FilesForImport](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. |
+| [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
+| [InterfacesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. |
+| [LegacyComponents](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. |
+| [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. |
+| [LocalComputer](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
+| [MethodsForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. |
+| [Partitions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. |
+| [PartitionUsers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. |
+| [PropertyInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. |
+| [PublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
+| [RelatedCollectionInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. |
+| [Roles](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. |
+| [RolesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. |
+| [RolesForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. |
+| [RolesForMethod](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. |
+| [RolesForPartition](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. |
+| [Root](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. |
+| [SubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
+| [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) collection. |
+| [TransientPublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
+| [TransientSubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
+| [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. |
+| [UsersInPartitionRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. |
+| [UsersInRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. |
+| [WOWInprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
+| [WOWLegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
+
+- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the deleted object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that:
+
+ - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection.
+
+ - **AppPartitionID** - A GUID representing the application partition ID.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Object Details** \[Type = UnicodeString\]: the list of deleted object’s (**Object Name**) properties.
+
+ The items have the following format: Property\_Name = VALUE
+
+ Check description for specific **COM+ Catalog Collection** to see the list of object’s properties and descriptions.
+
+## Security Monitoring Recommendations
+
+For 5889(S): An object was deleted from the COM+ Catalog.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a specific COM+ object for which you need to monitor all modifications (especially delete operations), monitor all [5889](event-5889.md) events with the corresponding **Object Name**.
+
diff --git a/windows/keep-secure/event-5890.md b/windows/keep-secure/event-5890.md
new file mode 100644
index 0000000000..896689a521
--- /dev/null
+++ b/windows/keep-secure/event-5890.md
@@ -0,0 +1,159 @@
+---
+title: 5890(S) An object was added to the COM+ Catalog. (Windows 10)
+description: Describes security event 5890(S) An object was added to the COM+ Catalog.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5890(S): An object was added to the COM+ Catalog.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when new object was added to the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx).
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 5890
+ 0
+ 0
+ 12290
+ 0
+ 0x8020000000000000
+
+ 344980
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 222443
+ Roles
+ ApplId = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} Name = CreatorOwner
+ Description =
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that requested the “add object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add object” operation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Object**:
+
+- **COM+ Catalog Collection** \[Type = UnicodeString\]: the name of COM+ collection to which the new object was added. Here is the list of possible collection values with descriptions:
+
+| Collection | Description |
+|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [ApplicationCluster](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. |
+| [ApplicationInstances](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. |
+| [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. |
+| [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. |
+| [ComputerList](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
+| [DCOMProtocols](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
+| [ErrorInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. |
+| [EventClassesForIID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. |
+| [FilesForImport](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. |
+| [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
+| [InterfacesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. |
+| [LegacyComponents](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. |
+| [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. |
+| [LocalComputer](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
+| [MethodsForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. |
+| [Partitions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. |
+| [PartitionUsers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. |
+| [PropertyInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. |
+| [PublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
+| [RelatedCollectionInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. |
+| [Roles](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. |
+| [RolesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. |
+| [RolesForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. |
+| [RolesForMethod](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. |
+| [RolesForPartition](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. |
+| [Root](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. |
+| [SubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
+| [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) collection. |
+| [TransientPublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
+| [TransientSubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
+| [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. |
+| [UsersInPartitionRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. |
+| [UsersInRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. |
+| [WOWInprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
+| [WOWLegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
+
+- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the new object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that:
+
+ - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection.
+
+ - **AppPartitionID** - A GUID representing the application partition ID.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Object Details** \[Type = UnicodeString\]: the list of new object’s (**Object Name**) properties.
+
+ The items have the following format: Property\_Name = VALUE
+
+ Check description for specific **COM+ Catalog Collection** to see the list of object’s properties and descriptions.
+
+## Security Monitoring Recommendations
+
+For 5890(S): An object was added to the COM+ Catalog.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all [5890](event-5890.md) events with the corresponding **COM+ Catalog Collection** field value.
+
+
+
diff --git a/windows/keep-secure/event-6144.md b/windows/keep-secure/event-6144.md
new file mode 100644
index 0000000000..1bcff85f12
--- /dev/null
+++ b/windows/keep-secure/event-6144.md
@@ -0,0 +1,86 @@
+---
+title: 6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10)
+description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6144(S): Security policy in the group policy objects has been applied successfully.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. This event generates on the target computer itself.
+
+It is a routine event which shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
+
+This event generates every time Group Policy is applied to the computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 6144
+ 0
+ 0
+ 13573
+ 0
+ 0x8020000000000000
+
+ 1055041
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 0
+ {8AB9311A-E5FB-4A5A-8FB7-027D1B877D6D} DC Main Policy
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Return Code** \[Type = UInt32\]: always has “**0**” value for this event.
+
+**GPO List** \[Type = UnicodeString\]: the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer. The format of the list item is: “GROUP\_POLICY\_GUID GROUP\_POLICY\_NAME”.
+
+You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet with “**–Name** GROUP\_POLICY\_NAME” parameter. Row “Id” is the GUID of the Group Policy:
+
+
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 6144(S): Security policy in the group policy objects has been applied successfully.
+
+- If you have a pre-defined list of Group Policy Objects which contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and in case of any difference trigger an alert.
+
+- This event is mostly an informational event.
+
diff --git a/windows/keep-secure/event-6145.md b/windows/keep-secure/event-6145.md
new file mode 100644
index 0000000000..5566da1217
--- /dev/null
+++ b/windows/keep-secure/event-6145.md
@@ -0,0 +1,88 @@
+---
+title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10)
+description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself.
+
+This event generates, for example, if the [SID](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 6145
+ 0
+ 0
+ 13573
+ 0
+ 0x8010000000000000
+
+ 1052680
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 1332
+ {6AC1786C-016F-11D2-945F-00C04fB984F9} Default Domain Controllers Policy {31B2F340-016D-11D2-945F-00C04FB984F9} Default Domain Policy
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Error Code** \[Type = UInt32\]: specific error code which shows the error which happened during Group Policy processing. You can find the meaning of specific error code here: . For example, error code 1332 means that “no mapping between account names and security IDs was done”.
+
+**GPO List** \[Type = UnicodeString\]: the list of Group Policy Objects that include “Security Settings” policies, and that were applied with errors to the computer. The format of the list item is: “GROUP\_POLICY\_GUID GROUP\_POLICY\_NAME”.
+
+You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet with “**–Name** GROUP\_POLICY\_NAME” parameter. Row “Id” is the GUID of the Group Policy:
+
+
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 6145(F): One or more errors occurred while processing security policy in the group policy objects.
+
+- This event indicates that Group Policy Objects which were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors.
+
+- If you have a pre-defined list of Group Policy Objects that contain Security Settings and that must be applied to specific computers, check this event to see if errors occurred when the Security Settings were applied. If so, you can review the error codes and investigate the cause of the failure.
+
+- Typically this event has an informational purpose and the reason is configuration errors in Group Policy’s security settings.
+
+- This event might be used for Group Policy troubleshooting purposes.
+
diff --git a/windows/keep-secure/event-6281.md b/windows/keep-secure/event-6281.md
new file mode 100644
index 0000000000..5f76bd8681
--- /dev/null
+++ b/windows/keep-secure/event-6281.md
@@ -0,0 +1,43 @@
+---
+title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10)
+description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
+
+[Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+
+This event generates when [code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.*
+
+*File Name:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
diff --git a/windows/keep-secure/event-6400.md b/windows/keep-secure/event-6400.md
new file mode 100644
index 0000000000..814cd9ffca
--- /dev/null
+++ b/windows/keep-secure/event-6400.md
@@ -0,0 +1,39 @@
+---
+title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10)
+description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
+
+*IP address of the client that sent this response:%1 *
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6401.md b/windows/keep-secure/event-6401.md
new file mode 100644
index 0000000000..f7d1d86945
--- /dev/null
+++ b/windows/keep-secure/event-6401.md
@@ -0,0 +1,39 @@
+---
+title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10)
+description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Received invalid data from a peer. Data discarded. *
+
+*IP address of the client that sent this data:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6402.md b/windows/keep-secure/event-6402.md
new file mode 100644
index 0000000000..95d011d2ac
--- /dev/null
+++ b/windows/keep-secure/event-6402.md
@@ -0,0 +1,39 @@
+---
+title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10)
+description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. *
+
+*IP address of the client that sent this message: %1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6403.md b/windows/keep-secure/event-6403.md
new file mode 100644
index 0000000000..bead5c33d0
--- /dev/null
+++ b/windows/keep-secure/event-6403.md
@@ -0,0 +1,39 @@
+---
+title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10)
+description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. *
+
+*Domain name of the hosted cache is:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6404.md b/windows/keep-secure/event-6404.md
new file mode 100644
index 0000000000..b01dff56dd
--- /dev/null
+++ b/windows/keep-secure/event-6404.md
@@ -0,0 +1,41 @@
+---
+title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10)
+description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. *
+
+*Domain name of the hosted cache:%1*
+
+*Error Code:%2*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6405.md b/windows/keep-secure/event-6405.md
new file mode 100644
index 0000000000..e17b4ca9f4
--- /dev/null
+++ b/windows/keep-secure/event-6405.md
@@ -0,0 +1,37 @@
+---
+title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10)
+description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: %2 instance(s) of event id %1 occurred.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6406.md b/windows/keep-secure/event-6406.md
new file mode 100644
index 0000000000..0d964b060b
--- /dev/null
+++ b/windows/keep-secure/event-6406.md
@@ -0,0 +1,39 @@
+---
+title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10)
+description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*%1 registered to Windows Firewall to control filtering for the following:*
+
+*%2.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6407.md b/windows/keep-secure/event-6407.md
new file mode 100644
index 0000000000..98a71f5c1c
--- /dev/null
+++ b/windows/keep-secure/event-6407.md
@@ -0,0 +1,37 @@
+---
+title: 6407(-) 1%. (Windows 10)
+description: Describes security event 6407(-) 1%.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6407(-): 1%.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6408.md b/windows/keep-secure/event-6408.md
new file mode 100644
index 0000000000..29b4a1f469
--- /dev/null
+++ b/windows/keep-secure/event-6408.md
@@ -0,0 +1,37 @@
+---
+title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10)
+description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6409.md b/windows/keep-secure/event-6409.md
new file mode 100644
index 0000000000..7716be0032
--- /dev/null
+++ b/windows/keep-secure/event-6409.md
@@ -0,0 +1,39 @@
+---
+title: 6409(-) BranchCache A service connection point object could not be parsed. (Windows 10)
+description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6409(-): BranchCache: A service connection point object could not be parsed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: A service connection point object could not be parsed. *
+
+*SCP object GUID: %1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6410.md b/windows/keep-secure/event-6410.md
new file mode 100644
index 0000000000..b0a4c89708
--- /dev/null
+++ b/windows/keep-secure/event-6410.md
@@ -0,0 +1,43 @@
+---
+title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10)
+description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+
+This event generates due to writable [shared sections](https://msdn.microsoft.com/en-us/library/windows/desktop/cc307397.aspx) being present in a file image.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.*
+
+*File Name:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012 R2, Windows 8.1.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
+
+
diff --git a/windows/keep-secure/event-6416.md b/windows/keep-secure/event-6416.md
new file mode 100644
index 0000000000..9f93d86eb0
--- /dev/null
+++ b/windows/keep-secure/event-6416.md
@@ -0,0 +1,154 @@
+---
+title: 6416(S) A new external device was recognized by the System. (Windows 10)
+description: Describes security event 6416(S) A new external device was recognized by the System.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6416(S): A new external device was recognized by the System.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time a new external device is recognized by a system.
+
+This event generates, for example, when a new external device is connected or enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 6416
+ 1
+ 0
+ 13316
+ 0
+ 0x8020000000000000
+
+ 436
+
+
+ Security
+ DESKTOP-NFC0HVN
+
+
+-
+ S-1-5-18
+ DESKTOP-NFC0HVN$
+ WORKGROUP
+ 0x3e7
+ SCSI\\Disk&Ven\_Seagate&Prod\_Expansion\\000000
+ Seagate Expansion SCSI Disk Device
+ {4D36E967-E325-11CE-BFC1-08002BE10318}
+ DiskDrive
+ SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_0636 SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_ SCSI\\DiskSeagate\_ SCSI\\Seagate\_Expansion\_\_\_\_\_\_\_0 Seagate\_Expansion\_\_\_\_\_\_\_0 GenDisk
+ SCSI\\Disk SCSI\\RAW
+ Bus Number 0, Target Id 0, LUN 0
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2016, Windows 10.
+
+***Event Versions:***
+
+- 0 - Windows 10.
+
+- 1 - Windows 10 \[Version 1511\].
+
+ - Added “Device ID” field.
+
+ - Added “Device Name” field.
+
+ - Added “Class Name” field.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that registered the new device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the new device.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Device ID** \[Type = UnicodeString\] \[Version 1\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Device Name** \[Type = UnicodeString\] \[Version 1\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\] \[Version 1\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Vendor IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6416(S): A new external device was recognized by the System.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|-----------------------------------------------------|----------------------------|
+| Device recognition events, **Device Instance Path** | “**Device ID**” |
+| Device recognition events, **Device Description** | “**Device Name**” |
+| Device recognition events, **Class GUID** | “**Class ID**” |
+| Device recognition events, **Hardware IDs** | “**Vendor IDs**” |
+| Device recognition events, **Compatible IDs** | “**Compatible IDs**” |
+| Device recognition events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6419.md b/windows/keep-secure/event-6419.md
new file mode 100644
index 0000000000..b874b2ea54
--- /dev/null
+++ b/windows/keep-secure/event-6419.md
@@ -0,0 +1,142 @@
+---
+title: 6419(S) A request was made to disable a device. (Windows 10)
+description: Describes security event 6419(S) A request was made to disable a device.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6419(S): A request was made to disable a device.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time when someone made a request to disable a device.
+
+This event doesn’t mean that device was disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 6419
+ 0
+ 0
+ 13316
+ 0
+ 0x8020000000000000
+
+ 483
+
+
+ Security
+ DESKTOP-NFC0HVN
+
+
+-
+ S-1-5-21-2695983153-1310895815-1903476278-1001
+ ladmin
+ DESKTOP-NFC0HVN
+ 0x3fcc7
+ USB\\VID\_138A&PID\_0017\\FFBC12C950A0
+ Synaptics FP Sensors (WBF) (PID=0017)
+ {53D29EF7-377C-4D14-864B-EB3A85769359}
+ Biometric
+ USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017
+ USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00 USB\\Class\_FF
+ Port\_\#0002.Hub\_\#0004
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows 10 \[Version 1511\].
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made the request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made the request.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6419(S): A request was made to disable a device.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|---------------------------------------------------|----------------------------|
+| Device disable requests, **Device Instance Path** | “**Device ID**” |
+| Device disable requests, **Device Description** | “**Device Name**” |
+| Device disable requests, **Class GUID** | “**Class ID**” |
+| Device disable requests, **Hardware IDs** | “**Hardware IDs**” |
+| Device disable requests, **Compatible IDs** | “**Compatible IDs**” |
+| Device disable requests, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6420.md b/windows/keep-secure/event-6420.md
new file mode 100644
index 0000000000..ec339814ea
--- /dev/null
+++ b/windows/keep-secure/event-6420.md
@@ -0,0 +1,140 @@
+---
+title: 6420(S) A device was disabled. (Windows 10)
+description: Describes security event 6420(S) A device was disabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6420(S): A device was disabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time specific device was disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 6420
+ 0
+ 0
+ 13316
+ 0
+ 0x8020000000000000
+
+ 484
+
+
+ Security
+ DESKTOP-NFC0HVN
+
+
+-
+ S-1-5-18
+ DESKTOP-NFC0HVN$
+ WORKGROUP
+ 0x3e7
+ USB\\VID\_138A&PID\_0017\\ffbc12c950a0
+ Synaptics FP Sensors (WBF) (PID=0017)
+ {53D29EF7-377C-4D14-864B-EB3A85769359}
+ Biometric
+ USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017
+ USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00 USB\\Class\_FF
+ Port\_\#0002.Hub\_\#0004
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows 10 \[Version 1511\].
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that disabled the device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that disabled the device.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6420(S): A device was disabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|-------------------------------------------------|----------------------------|
+| Device disable events, **Device Instance Path** | “**Device ID**” |
+| Device disable events, **Device Description** | “**Device Name**” |
+| Device disable events, **Class GUID** | “**Class ID**” |
+| Device disable events, **Hardware IDs** | “**Hardware IDs**” |
+| Device disable events, **Compatible IDs** | “**Compatible IDs**” |
+| Device disable events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6421.md b/windows/keep-secure/event-6421.md
new file mode 100644
index 0000000000..ea9ce9c6a5
--- /dev/null
+++ b/windows/keep-secure/event-6421.md
@@ -0,0 +1,142 @@
+---
+title: 6421(S) A request was made to enable a device. (Windows 10)
+description: Describes security event 6421(S) A request was made to enable a device.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6421(S): A request was made to enable a device.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time when someone made a request to enable a device.
+
+This event doesn’t mean that device was enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 6421
+ 0
+ 0
+ 13316
+ 0
+ 0x8020000000000000
+
+ 485
+
+
+ Security
+ DESKTOP-NFC0HVN
+
+
+-
+ S-1-5-21-2695983153-1310895815-1903476278-1001
+ ladmin
+ DESKTOP-NFC0HVN
+ 0x3fcc7
+ USB\\VID\_138A&PID\_0017\\FFBC12C950A0
+ Synaptics FP Sensors (WBF) (PID=0017)
+ {53D29EF7-377C-4D14-864B-EB3A85769359}
+ Biometric
+ USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017
+ USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00 USB\\Class\_FF
+ Port\_\#0002.Hub\_\#0004
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows 10 \[Version 1511\].
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that made the request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made the request.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6421(S): A request was made to enable a device.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|--------------------------------------------------|----------------------------|
+| Device enable requests, **Device Instance Path** | “**Device ID**” |
+| Device enable requests, **Device Description** | “**Device Name**” |
+| Device enable requests, **Class GUID** | “**Class ID**” |
+| Device enable requests, **Hardware IDs** | “**Hardware IDs**” |
+| Device enable requests, **Compatible IDs** | “**Compatible IDs**” |
+| Device enable requests, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6422.md b/windows/keep-secure/event-6422.md
new file mode 100644
index 0000000000..fb59fad3bf
--- /dev/null
+++ b/windows/keep-secure/event-6422.md
@@ -0,0 +1,142 @@
+---
+title: 6422(S) A device was enabled. (Windows 10)
+description: Describes security event 6422(S) A device was enabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6422(S): A device was enabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time specific device was enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 6422
+ 0
+ 0
+ 13316
+ 0
+ 0x8020000000000000
+
+ 486
+
+
+ Security
+ DESKTOP-NFC0HVN
+
+
+-
+ S-1-5-18
+ DESKTOP-NFC0HVN$
+ WORKGROUP
+ 0x3e7
+ USB\\VID\_138A&PID\_0017\\ffbc12c950a0
+ Synaptics FP Sensors (WBF) (PID=0017)
+ {53D29EF7-377C-4D14-864B-EB3A85769359}
+ Biometric
+ USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017
+ USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00 USB\\Class\_FF
+ Port\_\#0002.Hub\_\#0004
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows 10 \[Version 1511\].
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that enabled the device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that enabled the device.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6422(S): A device was enabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|------------------------------------------------|----------------------------|
+| Device enable events, **Device Instance Path** | “**Device ID**” |
+| Device enable events, **Device Description** | “**Device Name**” |
+| Device enable events, **Class GUID** | “**Class ID**” |
+| Device enable events, **Hardware IDs** | “**Hardware IDs**” |
+| Device enable events, **Compatible IDs** | “**Compatible IDs**” |
+| Device enable events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6423.md b/windows/keep-secure/event-6423.md
new file mode 100644
index 0000000000..09e75dc4cd
--- /dev/null
+++ b/windows/keep-secure/event-6423.md
@@ -0,0 +1,148 @@
+---
+title: 6423(S) The installation of this device is forbidden by system policy. (Windows 10)
+description: Describes security event 6423(S) The installation of this device is forbidden by system policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6423(S): The installation of this device is forbidden by system policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time installation of this device is forbidden by system policy.
+
+Device installation restriction group policies are located here: **\\Computer Configuration\\Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. If one of the policies restricts installation of a specific device, this event will be generated.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Event XML:***
+```
+-
+-
+
+ 6423
+ 0
+ 0
+ 13316
+ 0
+ 0x8020000000000000
+
+ 488
+
+
+ Security
+ DESKTOP-NFC0HVN
+
+
+-
+ S-1-5-18
+ DESKTOP-NFC0HVN$
+ WORKGROUP
+ 0x3e7
+ USB\\VID\_04F3&PID\_012D\\7&1E3A8971&0&2
+ Touchscreen
+ {00000000-0000-0000-0000-000000000000}
+
+ USB\\VID\_04F3&PID\_012D&REV\_0013 USB\\VID\_04F3&PID\_012D
+ USB\\Class\_03&SubClass\_00&Prot\_00 USB\\Class\_03&SubClass\_00 USB\\Class\_03
+ Port\_\#0002.Hub\_\#0004
+
+
+
+```
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows 10 \[Version 1511\].
+
+***Event Versions:*** 0.
+
+***Field Descriptions:***
+
+**Subject:**
+
+- **Security ID** \[Type = SID\]**:** SID of account that forbids the device installation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that forbids the device installation.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6423(S): The installation of this device is forbidden by system policy.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you want to track device installation policy violations then you need to track every event of this type.
+
+
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the policy violations and related information shown in the following table by using the listed fields:
+
+| Policy violation and related information to monitor | Field to use |
+|-----------------------------------------------------------------|----------------------------|
+| Device installation policy violations, **Device Instance Path** | “**Device ID**” |
+| Device installation policy violations, **Device Description** | “**Device Name**” |
+| Device installation policy violations, **Class GUID** | “**Class ID**” |
+| Device installation policy violations, **Hardware IDs** | “**Hardware IDs**” |
+| Device installation policy violations, **Compatible IDs** | “**Compatible IDs**” |
+| Device installation policy violations, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6424.md b/windows/keep-secure/event-6424.md
new file mode 100644
index 0000000000..a91d282a95
--- /dev/null
+++ b/windows/keep-secure/event-6424.md
@@ -0,0 +1,31 @@
+---
+title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10)
+description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event occurs rarely, and in some situations may be difficult to reproduce.
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows 10 \[Version 1511\].
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index f6244f66e0..6e239a2aea 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Review events and errors on endpoints with Event Viewer
description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: iaanw
---
diff --git a/windows/keep-secure/executable-rules-in-applocker.md b/windows/keep-secure/executable-rules-in-applocker.md
index b215d8ffe5..ebad0e1645 100644
--- a/windows/keep-secure/executable-rules-in-applocker.md
+++ b/windows/keep-secure/executable-rules-in-applocker.md
@@ -2,55 +2,28 @@
title: Executable rules in AppLocker (Windows 10)
description: This topic describes the file formats and available default rules for the executable rule collection.
ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Executable rules in AppLocker
+
**Applies to**
- Windows 10
+
This topic describes the file formats and available default rules for the executable rule collection.
+
AppLocker defines executable rules as any files with the .exe and .com extensions that are associated with an app. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths will be allowed. The following table lists the default rules that are available for the executable rule collection.
-
-
-
-
-
-
-
-
-
-
Purpose
-
Name
-
User
-
Rule condition type
-
-
-
-
-
Allow members of the local Administrators group access to run all executable files
-
(Default Rule) All files
-
BUILTIN\Administrators
-
Path: *
-
-
-
Allow all users to run executable files in the Windows folder
-
(Default Rule) All files located in the Windows folder
-
Everyone
-
Path: %windir%\*
-
-
-
Allow all users to run executable files in the Program Files folder
-
(Default Rule) All files located in the Program Files folder
-
Everyone
-
Path: %programfiles%\*
-
-
-
+
+| Purpose | Name | User | Rule condition type |
+| - | - | - | - |
+| Allow members of the local Administrators group access to run all executable files | (Default Rule) All files| BUILTIN\Administrators | Path: * |
+| Allow all users to run executable files in the Windows folder| (Default Rule) All files located in the Windows folder| Everyone| Path: %windir%\*|
+| Allow all users to run executable files in the Program Files folder | (Default Rule) All files located in the Program Files folder| Everyone | Path: %programfiles%\*|
## Related topics
-[Understanding AppLocker Default Rules](understanding-applocker-default-rules.md)
-
-
+
+- [Understanding AppLocker Default Rules](understanding-applocker-default-rules.md)
diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/keep-secure/exempt-icmp-from-authentication.md
new file mode 100644
index 0000000000..a60e483753
--- /dev/null
+++ b/windows/keep-secure/exempt-icmp-from-authentication.md
@@ -0,0 +1,30 @@
+---
+title: Exempt ICMP from Authentication (Windows 10)
+description: Exempt ICMP from Authentication
+ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Exempt ICMP from Authentication
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+To exempt ICMP network traffic from authentication
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+
+3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**.
diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md
new file mode 100644
index 0000000000..3ebf7a465b
--- /dev/null
+++ b/windows/keep-secure/exemption-list.md
@@ -0,0 +1,52 @@
+---
+title: Exemption List (Windows 10)
+description: Exemption List
+ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Exemption List
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
+
+In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list.
+
+Generally, the following conditions are reasons to consider adding a device to the exemption list:
+
+- If the device must be accessed by trusted devices but it does not have a compatible IPsec implementation.
+
+- If the device must provide services to both trusted and untrusted devices, but does not meet the criteria for membership in the boundary zone.
+
+- If the device must be accessed by trusted devices from different isolated domains that do not have an Active Directory trust relationship established with each other.
+
+- If the device is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista.
+
+- If the device must support trusted and untrusted devices, but cannot use IPsec to help secure communications to trusted devices.
+
+For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following:
+
+- Reduces the overall effectiveness of isolation.
+
+- Creates a larger management burden (because of frequent updates).
+
+- Increases the size of the IPsec policy, which means that it consumes more memory and CPU resources, slows down network throughput, and increases the time required to download and apply the GPO containing the IPsec policy.
+
+To keep the number of exemptions as small as possible, you have several options:
+
+- Carefully consider the communications requirements of each isolation zone, especially server-only zones. They might not be required to communicate with every exemption in the domain-level policy for clients.
+
+- Consolidate server functions. If several exempt services can be hosted at one IP address, the number of exemptions is reduced.
+
+- Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address.
+
+As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
+
+**Next: **[Isolated Domain](isolated-domain.md)
diff --git a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md
index 565c1d0597..6476c88d16 100644
--- a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md
@@ -2,23 +2,28 @@
title: Export an AppLocker policy from a GPO (Windows 10)
description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Export an AppLocker policy from a GPO
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
+
Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device
+
To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
**Export the policy from the GPO**
+
1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit.
2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**.
3. Right-click **AppLocker**, and then click **Export Policy**.
4. In the **Export Policy** dialog box, type a name for the exported policy (for example, the name of the GPO), select a location to save the policy, and then click **Save**.
5. The **AppLocker** dialog box will notify you of how many rules were exported. Click **OK**.
-
-
diff --git a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md
index a5ebd52102..f3f9d22190 100644
--- a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md
@@ -2,7 +2,7 @@
title: Export an AppLocker policy to an XML file (Windows 10)
description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/file-system-global-object-access-auditing.md b/windows/keep-secure/file-system-global-object-access-auditing.md
index 5853de4758..13e7b15ca7 100644
--- a/windows/keep-secure/file-system-global-object-access-auditing.md
+++ b/windows/keep-secure/file-system-global-object-access-auditing.md
@@ -2,7 +2,7 @@
title: File System (Global Object Access Auditing) (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, File System (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md
new file mode 100644
index 0000000000..b264a38993
--- /dev/null
+++ b/windows/keep-secure/firewall-gpos.md
@@ -0,0 +1,22 @@
+---
+title: Firewall GPOs (Windows 10)
+description: Firewall GPOs
+ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Firewall GPOs
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
+
+The GPO created for the example Woodgrove Bank scenario include the following:
+
+- [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md)
diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md
new file mode 100644
index 0000000000..41310314aa
--- /dev/null
+++ b/windows/keep-secure/firewall-policy-design-example.md
@@ -0,0 +1,106 @@
+---
+title: Firewall Policy Design Example (Windows 10)
+description: Firewall Policy Design Example
+ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Firewall Policy Design Example
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+In this example, the fictitious company Woodgrove Bank is a financial services institution.
+
+Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing.
+
+Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
+
+A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server.
+
+## Design requirements
+
+The network administrators want to implement Windows Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
+
+The following illustration shows the traffic protection needs for this design example.
+
+
+
+1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers.
+
+2. The WGBank front-end servers can receive unsolicited inbound traffic from the client devices and the WGBank partner servers. The WGBank client devices and partner servers can receive the response.
+
+3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients do not poll for this unsolicited traffic, but must be able to receive it.
+
+4. The WGBank back-end servers can receive SQL query requests from the WGBank front-end servers. The WGBank front-end servers can receive the corresponding responses.
+
+5. There is no direct communications between the client devices and the WGBank back-end devices.
+
+6. There is no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers.
+
+7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that do not require an outside server. Firewall rules must block the network traffic created by these programs.
+
+8. The WGBank partner servers can receive inbound requests from partner devices through the Internet.
+
+Other traffic notes:
+
+- Devices are not to receive any unsolicited traffic from any computer other than specifically allowed above.
+
+- Other outbound network traffic from the client devices not specifically identified in this example is permitted.
+
+## Design details
+
+
+Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices:
+
+- Client devices that run Windows 10, Windows 8, or Windows 7
+
+- WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
+
+- WGBank partner servers that run Windows Server 2008
+
+- WGBank back-end SQL Server devices that run Windows Server 2008 (there are none in place yet, but their solution must support adding them)
+
+- Infrastructure servers that run Windows Server 2008
+
+- Active Directory domain controllers that run Windows Server 2008 R2 or Windows Server 2012
+
+- DHCP servers that run the UNIX operating system
+
+After evaluating these sets of devices, and comparing them to the Active Directory organizational unit (OU) structure, Woodgrove Bank network administrators determined that there was not a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs will not be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it is applied to the correct devices.
+
+Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs.
+
+The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all devices that run Windows were added to the correct groups:
+
+- **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all devices.
+
+ The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs.
+
+ - Client devices receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
+
+ - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices.
+
+ All rules are scoped to allow network traffic only from devices on Woodgrove Bank's corporate network.
+
+- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group.
+
+- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
+
+- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
+
+- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO.
+
+- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
+
+- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
+
+In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
+
+**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
+
diff --git a/windows/keep-secure/force-shutdown-from-a-remote-system.md b/windows/keep-secure/force-shutdown-from-a-remote-system.md
index c9f51b7ed0..e635eb56d3 100644
--- a/windows/keep-secure/force-shutdown-from-a-remote-system.md
+++ b/windows/keep-secure/force-shutdown-from-a-remote-system.md
@@ -2,7 +2,7 @@
title: Force shutdown from a remote system (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting.
ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
new file mode 100644
index 0000000000..33727fc9f4
--- /dev/null
+++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
@@ -0,0 +1,32 @@
+---
+title: Gathering Information about Your Active Directory Deployment (Windows 10)
+description: Gathering Information about Your Active Directory Deployment
+ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering Information about Your Active Directory Deployment
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed:
+
+- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation.
+
+- **Names and number of domains**. Authentication in server and domain isolation uses the IKE negotiation process with the Kerberos V5 protocol. This protocol assumes that devices are domain members.
+
+- **Number and types of trusts**. Trusts affect the logical boundaries of domain isolation and define whether IKE negotiation can occur between devices in different Active Directory domains.
+
+- **Names and number of sites**. Site architecture is usually aligned with the network topology. Understanding how sites are defined in Active Directory will help provide insight into replication and other details. Site architecture can provide a better understanding of the current Active Directory deployment.
+
+- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices.
+
+- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
+
+**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
new file mode 100644
index 0000000000..65555cc782
--- /dev/null
+++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
@@ -0,0 +1,113 @@
+---
+title: Gathering Information about Your Current Network Infrastructure (Windows 10)
+description: Gathering Information about Your Current Network Infrastructure
+ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering Information about Your Current Network Infrastructure
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
+
+- **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them.
+
+- Network address translation (NAT). NAT is a means of separating network segments by using a device that maps all of the IP addresses on one side of the device to a single IP address accessible on the other side.
+
+- Network infrastructure devices. This includes the routers, switches, hubs, and other network equipment that makes communications between the devices on the network possible.
+
+- **Current network traffic model.** This includes the quantity and the characteristics of the network traffic flowing through your network.
+
+- Intrusion Detection System (IDS) devices. You will need to identify if you have any IDS devices on your network that might be negatively impacted by any encryption introduced in an Encryption Zone.
+
+The goal is to have enough information to be able to identify an asset by its network location, in addition to its physical location.
+
+Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation.
+
+This guidance helps obtain the most relevant information for planning Windows Firewall with Advanced Security implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
+
+## Network segmentation
+
+
+If your organization does not have its current network architecture documented and available for reference, such documentation should be obtained as soon as possible before you continue with the design and deployment. If the documented information is not current or has not been validated recently, you have two options:
+
+- Accept that the lack of accurate information can cause risk to the project.
+
+- Undertake a discovery project, either through manual processes or with network analysis tools that can provide the information you need to document the current network topology.
+
+Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, do not include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every device in your organization.
+
+During this process, you might discover some network applications and services that are not compatible with IPsec. For example, IPsec breaks network-based prioritization and port/protocol-based traffic management. If traffic management or prioritization must be based on ports or protocol, the host itself must be able to perform any traffic management or prioritization.
+
+Other examples of incompatibility include:
+
+- Cisco NetFlow on routers cannot analyze packets between IPsec members based on protocol or port.
+
+- Router-based Quality of Service (QoS) cannot use ports or protocols to prioritize traffic. However, using firewall rules that specify IP addresses to prioritize traffic are not affected by this limitation of QoS. For example, a rule that says "From anyone to anyone using port 80 prioritize" does not work, but a rule that says "From anyone to 10.0.1.10 prioritize" works.
+
+- Weighted Fair Queuing and other flow-based router traffic priority methods might fail.
+
+- Devices that do not support or allow IP protocol 50, the port that is used by Encapsulating Security Payload (ESP).
+
+- Router access control lists (ACLs) cannot examine protocol and port fields in ESP-encrypted packets, and therefore the packets are dropped. ACLs based only on IP address are forwarded as usual. If the device cannot parse ESP, any ACLs that specify port or protocol rules will not be processed on the ESP packets. If the device has an ESP parser and uses encryption, ACLs that specify port or protocol rules will not be processed on the ESP packets.
+
+- Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null).
+
+ >**Note:** Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](http://www.microsoft.com/download/details.aspx?id=44226).
+
+## Network address translation (NAT)
+
+IPsec NAT traversal (NAT-T) enables IPsec peers that are behind NATs to detect the presence of NATs, negotiate IPsec security associations (SAs), and send ESP-protected data even though the addresses in the IPsec-protected IPv4 packets change. IPsec NAT-T does not support the use of AH across NAT devices.
+
+## Network infrastructure devices
+
+The devices that make up the network infrastructure (routers, switches, load balancers, and firewalls) must be able communicate using IPsec after the solution is implemented. For this reason, you have to examine the following characteristics of these network devices to ensure that they can handle the technical and physical requirements of the design:
+
+- **Make/model**. You can use this information to determine the features that the device supports. In addition, check the BIOS version or software running on the device to ensure that IPsec is supported.
+
+- **Amount of RAM**. This information is useful when you are analyzing capacity or the impact of IPsec on the device.
+
+- **Traffic analysis**. Information, such as peak usage and daily orweekly trends, is helpful to have. The information helps provide a baseline snapshot of the device and how it is used over time. If problems occur after IPsec is implemented, the information can help determine whether the root cause is related to greater usage of the device.
+
+- **Router ACLs that affect IPsec directly**. ACLs directly affect the ability of specific protocols to function. For example, blocking the Kerberos V5 protocol (UDP and TCP port 88) or IP protocol 50 or 51 prevents IPsec from working. Devices must also be configured to allow IKE traffic (UDP port 500) if using NAT-T (UDP port 4500).
+
+- **Networks/subnets connected to device interfaces**. This information provides the best picture of what the internal network looks like. Defining the boundary of subnets based on an address range is straightforward and helps identify whether other addresses are either unmanaged or foreign to the internal network (such as IP addresses on the Internet).
+
+- **VLAN segmentation**. Determining how VLANs are implemented on the network can help you understand traffic patterns and security requirements, and then help to determine how IPsec might augment or interfere with these requirements.
+
+- **The maximum transmission unit (MTU) size on device interface(s)**. The MTU defines the largest datagram that can be transmitted on a particular interface without being divided into smaller pieces for transmission (a process also known as *fragmentation*). In IPsec communications, the MTU is necessary to anticipate when fragmentation occurs. Packet fragmentation must be tracked for Internet Security Association and Key Management Protocol (ISAKMP) by the router. IPsec configures the MTU size on the session to the minimum-discovered MTU size along the communication path being used, and then set the Don't Fragment bit (DF bit) to 1.
+
+ >**Note:** If Path MTU (PMTU) discovery is enabled and functioning correctly, you do not have to gather the MTU size on device interfaces. Although sources, such as the Windows Server 2003 Hardening Guide, recommend disabling PMTU discovery, it must be enabled for IPsec to function correctly.
+
+- **Intrusion detection system (IDS) in use**. Your IDS must have an IPsec-compatible parser to detect ESP packets. If the IDS does not have such a parser, it cannot determine if data in those packets is encrypted.
+
+After you obtain this information, you can quickly determine whether you must upgrade the devices to support the requirements of the project, change the ACLs, or take other measures to ensure that the devices can handle the loads needed.
+
+## Current network traffic model
+
+After gathering the addressing and network infrastructure information, the next step is to examine the communications flow. For example, if a department such as Human Resources (HR) spans several buildings, and you want to use server isolation with encryption to help protect information in that department, you must know how those buildings are connected to determine the level of "trust" to place in the connection. A highly secured building that is connected by an unprotected cable to another building that is not secured can be compromised by an eavesdropping or information replay attack. If such an attack is considered a threat, IPsec can help by providing strong mutual authentication and traffic encryption for trusted hosts. IPsec allows you to more securely communicate across untrusted links such as the Internet.
+
+When you examine traffic flow, look closely at how all managed and unmanaged devices interact. This includes non-Windows-based devices running Linux, UNIX, and Macintosh. Ask yourself such questions as:
+
+- Do specific communications occur at the port and protocol level, or are there many sessions between the same hosts across many protocols?
+
+- How do servers and clients communicate with each other?
+
+- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
+
+Some of the more common applications and protocols are as follows:
+
+- **NetBIOS over TCP/IP (NetBT) and server message block (SMB)**. On a LAN, it is common to have ports 137, 138, and 139 enabled for NetBT and port 445 enabled for SMB. These ports provide NetBIOS name resolution services and other features. Unfortunately, they also allow the creation of *null sessions*. A null session is a session that is established on a host that does not use the security context of a known user or entity. Frequently, these sessions are anonymous.
+
+- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account.
+
+- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
+
+**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/keep-secure/gathering-information-about-your-devices.md
new file mode 100644
index 0000000000..1f3b73fa21
--- /dev/null
+++ b/windows/keep-secure/gathering-information-about-your-devices.md
@@ -0,0 +1,54 @@
+---
+title: Gathering Information about Your Devices (Windows 10)
+description: Gathering Information about Your Devices
+ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering Information about Your Devices
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.
+
+Capture the following information from each device:
+
+- **Computer name**. This name is the device's NetBIOS or DNS name that identifies the device on the network. Because a device can have more than one media access control (MAC) or IP address, the device's name is one of the criteria that can be used to determine uniqueness on the network. Because device names can be duplicated under some circumstances, the uniqueness should not be considered absolute.
+
+- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address is not an effective way to identify an asset because it is often subject to change.
+
+- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It is also important to track the current state of service packs and updates that might be installed, because these are often used to determine that minimum security standards have been met.
+
+- **Domain membership**. This information is used to determine whether a device can obtain IPsec policy from Active Directory or whether it must use a local IPsec policy.
+
+- **Physical location**. This information is just the location of the device in your organization. It can be used to determine whether a device can participate in a specific isolation group based on its location or the location of the devices that it communicates with regularly.
+
+- **Hardware type or role**. Some tools that perform host discovery can provide this information by querying the hardware information and running applications to determine its type, such as server, workstation, or portable device. You can use this information to determine the appropriate IPsec policy to assign, whether a specific device can participate in isolation, and in which isolation group to include the device.
+
+After collecting all this information and consolidating it into a database, perform regular discovery efforts periodically to keep the information current. You need the most complete and up-to-date picture of the managed hosts on their networks to create a design that matches your organization's requirements.
+
+You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to completely manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy.
+
+## Automated Discovery
+
+Using an automated auditing network management system provides valuable information about the current state of the IT infrastructure.
+
+
+## Manual Discovery
+
+
+The biggest difference between manual discovery methods and automated methods is time.
+
+You can use Windows PowerShell to create a script file that can collect the system configuration information. For more information, see [Windows PowerShell Scripting](http://go.microsoft.com/fwlink/?linkid=110413).
+
+Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory.
+
+This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design.
+
+**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md
new file mode 100644
index 0000000000..ca8d396fcb
--- /dev/null
+++ b/windows/keep-secure/gathering-other-relevant-information.md
@@ -0,0 +1,77 @@
+---
+title: Gathering Other Relevant Information (Windows 10)
+description: Gathering Other Relevant Information
+ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering Other Relevant Information
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization.
+
+## Capacity considerations
+
+Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a device. Areas to watch:
+
+- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](http://technet.microsoft.com/network/dd277647.aspx).
+
+- **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5 KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization.
+
+- **NAT devices.** As discussed earlier, NAT does not allow Authentication Header (AH) conversations between hosts. If NAT devices exist on the internal network, ESP must be selected instead of AH.
+
+- **Switches and routers.** Proper capacity planning for the implementation of IPsec is more about thorough testing and expected traffic loads than exact calculations. You might have to upgrade or reconfigure switches or routers that currently exceed 75 percent usage to allow for increased traffic on the device and still provide some extra usage for bursts of traffic.
+
+- **Other factors.** These include CPU usage on network infrastructure servers, increased overhead on servers and workstations running IPsec (especially servers, because they usually contain more main mode SAs than clients), and increased network latency because of IPsec negotiation.
+
+ >**Note:** When Microsoft deployed its own domain isolation solution, it found a one to three percent increase in usage on the network as a direct result of IPsec.
+
+## Group Policy deployment groups and WMI filters
+
+You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
+
+## Different Active Directory trust environments
+
+When you design a domain isolation policy, consider any logical boundaries that might affect IPsec-secured communications. For example, the trust relationships between your domains and forests are critical in determining an appropriate IKE authentication method.
+
+Kerberos V5 authentication is recommended for use in a two-way (mutual) domain and forest trust environment. You can use Kerberos V5 for IKE authentication across domains that have two-way trusts established, if the domains are in the same forest or different forests. If the two domains are in different forests, you must configure two external trusts, one for each direction, between the domains. The external trusts must use the fully qualified domain name (FQDN) of the domains, and IPsec policy must allow an IKE initiator in one domain to communicate with any domain controller in the forest domain hierarchy, so that the initiator can obtain a Kerberos V5 ticket from a domain controller in the responder’s domain. If firewalls separate the domains then you must configure the firewall to allow Kerberos V5 traffic over UDP destination port 88, TCP destination port 88, and UDP destination port 389.
+
+If the use of Kerberos V5 authentication is not possible because two-way trusts across forests cannot be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication.
+
+## Creating firewall rules to permit IKE, AH, and ESP traffic
+
+
+In some cases, IPsec-secured traffic might have to pass through a router, perimeter firewall, or other filtering device. In the case of a router, unless the router filters TCP and UDP traffic or other upper-level protocol headers, no special configuration is required to allow the IPsec traffic to be forwarded.
+
+In the case of a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected.
+
+For more info, see [How to Enable IPsec Traffic Through a Firewall](http://go.microsoft.com/fwlink/?LinkId=45085).
+
+## Network load balancing and server clusters
+
+There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific device, it prevents different devices from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client device as untrusted.
+
+This means that NLB in "no affinity" mode is not supported by IPsec at all. If you must use "no affinity" mode in the cluster then consider including the servers that make up the cluster in your IPsec exemption group, and allowing clients to communicate with the servers without IPsec.
+
+When a TCP connection is dropped because of a cluster node failover, IPsec detects the TCP connection failure and removes the IPsec SAs for that connection. When the new TCP connection is established to another node, IPsec can negotiate new SAs immediately without having to wait for the obsolete SAs to time out.
+
+## Network inspection technologies
+
+Within a TCP/IP packet, IPsec without encryption changes the offsets for the destination ports and protocols. These changes can adversely affect applications that are running on network devices such as routers that monitor and manage traffic on the network. While some network applications have been updated to support IPsec, some are not yet compatible. Check with the vendor of your device to see whether the changes in the protocol and port fields caused by IPsec are compatible with the device.
+
+Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, cannot parse ESP-encrypted traffic. Only the destination device, with which the originating device negotiated the connection, can decrypt the traffic.
+
+In general, IPsec defeats network-based prioritization and port- or protocol-based traffic management. For encrypted packets, there is no workaround; the host itself must handle any traffic management functions. For unencrypted, authenticated-only packets, the devices and applications must be aware of how IPsec changes packets to be able to do anything with them other than route them to the correct host. If you cannot upgrade monitoring or management devices to support IPsec, it is important that you record this information and figure it into your domain or server isolation design.
+
+Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices.
+
+Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
+
+**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md
new file mode 100644
index 0000000000..3e8a62b0cc
--- /dev/null
+++ b/windows/keep-secure/gathering-the-information-you-need.md
@@ -0,0 +1,28 @@
+---
+title: Gathering the Information You Need (Windows 10)
+description: Gathering the Information You Need
+ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering the Information You Need
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
+
+Review each of the following topics for guidance about the kinds of information that you must gather:
+
+- [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
+
+- [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
+
+- [Gathering Information about Your Devices](gathering-information-about-your-devices.md)
+
+- [Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/keep-secure/generate-security-audits.md b/windows/keep-secure/generate-security-audits.md
index 78b578d1e3..437bdc47d0 100644
--- a/windows/keep-secure/generate-security-audits.md
+++ b/windows/keep-secure/generate-security-audits.md
@@ -2,7 +2,7 @@
title: Generate security audits (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting.
ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
index f7b4350a6f..9f8709dce5 100644
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -2,7 +2,7 @@
title: Update and manage Windows Defender in Windows 10 (Windows 10)
description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
index f9af00d1cd..42e7d1cff1 100644
--- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
+++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
@@ -3,7 +3,7 @@ title: Get apps to run on Device Guard-protected devices (Windows 10)
description: Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard.
ms.assetid: E62B68C3-8B9F-4842-90FC-B4EE9FF8A67E
keywords: Package Inspector, packageinspector.exe, sign catalog file
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/gpo-domiso-boundary.md b/windows/keep-secure/gpo-domiso-boundary.md
new file mode 100644
index 0000000000..22db5273b8
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-boundary.md
@@ -0,0 +1,43 @@
+---
+title: GPO\_DOMISO\_Boundary (Windows 10)
+description: GPO\_DOMISO\_Boundary
+ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_Boundary
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
+
+This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008.
+
+## IPsec settings
+
+The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain when authentication can be used.
+
+## Connection security rules
+
+
+Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the device uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted device that is not part of the isolated domain connects.
+
+## Registry settings
+
+
+The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
+
+## Firewall rules
+
+
+Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other devices. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests.
+
+Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
+
+**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)
diff --git a/windows/keep-secure/gpo-domiso-encryption.md b/windows/keep-secure/gpo-domiso-encryption.md
new file mode 100644
index 0000000000..dac33f72d4
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-encryption.md
@@ -0,0 +1,50 @@
+---
+title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10)
+description: GPO\_DOMISO\_Encryption\_WS2008
+ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_Encryption\_WS2008
+
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
+
+This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008.
+
+## IPsec settings
+
+
+The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain The following changes are made to encryption zone copy of the GPO:
+
+The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This disables all integrity-only algorithm combinations.
+
+## Connection security rules
+
+
+Rename the **Isolated Domain Rule** to **Encryption Zone Rule**. Leave the authentication mode setting on **Require inbound and request outbound**. In this mode, the computer forces authentication for all inbound network traffic, and uses it when it can on outbound traffic.
+
+## Registry settings
+
+
+The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
+
+## Firewall rules
+
+
+Copy the firewall rules for the encryption zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 1433 for SQL Server client requests.
+
+Change the action for every inbound firewall rule from **Allow the connection** to **Allow only secure connections**, and then select **Require the connections to be encrypted**.
+
+Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
+
+**Next: **[Server Isolation GPOs](server-isolation-gpos.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md
new file mode 100644
index 0000000000..226c9deac1
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-firewall.md
@@ -0,0 +1,64 @@
+---
+title: GPO\_DOMISO\_Firewall (Windows 10)
+description: GPO\_DOMISO\_Firewall
+ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_Firewall
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
+
+## Firewall settings
+
+This GPO provides the following settings:
+
+- Unless otherwise stated, the firewall rules and settings described here are applied to all profiles.
+
+- The firewall is enabled, with inbound, unsolicited connections blocked and outbound connections allowed.
+
+- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the devices can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**.
+
+ >**Note:** Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot devices.
+
+## Firewall rules
+
+This GPO provides the following rules:
+
+- Built-in firewall rule groups are configured to support typically required network operation. The following rule groups are set to **Allow the connection**:
+
+ - Core Networking
+
+ - File and Printer Sharing
+
+ - Network Discovery
+
+ - Remote Administration
+
+ - Remote Desktop
+
+ - Remote Event Log Management
+
+ - Remote Scheduled Tasks Management
+
+ - Remote Service Management
+
+ - Remote Volume Management
+
+ - Windows Firewall Remote Management
+
+ - Windows Management Instrumentation (WMI)
+
+ - Windows Remote Management
+
+- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
+
+**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
new file mode 100644
index 0000000000..0f2faadb9e
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
@@ -0,0 +1,83 @@
+---
+title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10)
+description: GPO\_DOMISO\_IsolatedDomain\_Clients
+ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_IsolatedDomain\_Clients
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
+
+Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile.
+
+## General settings
+
+This GPO provides the following settings:
+
+- No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy.
+
+- The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting.
+
+- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, they can remove the weaker key exchange algorithms, and use only the stronger ones.
+
+- The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
+
+| Setting | Value |
+| - | - |
+| Enable PMTU Discovery | 1 |
+| IPsec Exemptions | 3 |
+
+- The main mode security method combinations in the order shown in the following table.
+
+| Integrity | Encryption |
+| - | - |
+| Secure Hash Algorithm (SHA-1) | Advanced Encryption Standard (AES-128) |
+| SHA-1 | 3DES |
+
+- The following quick mode security data integrity algorithms combinations in the order shown in the following table.
+
+| Protocol | Integrity | Key Lifetime (minutes/KB) |
+| - | - | - |
+| ESP | SHA-1 | 60/100,000 |
+
+- The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table.
+
+| Protocol | Integrity | Encryption | Key Lifetime (minutes/KB) |
+| - | - | - | - |
+| ESP | SHA-1 | AES-128 | 60/100,000|
+| ESP | SHA-1 | 3DES | 60/100,000|
+
+>**Note:** Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows.
+
+## Connection Security Rules
+
+This GPO provides the following rules:
+
+- A connection security rule named **Isolated Domain Rule** with the following settings:
+
+ - From **Any IP address** to **Any IP address**.
+
+ - **Require inbound and request outbound** authentication requirements.
+
+ >**Important:** On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the devices were successfully communicating by using IPsec, they switched the GPOs to require authentication.
+
+ - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for devices that cannot run Windows or cannot join the domain, but must still participate in the isolated domain.
+
+ - For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box.
+
+- A connection security rule to exempt devices that are in the exemption list from the requirement to authenticate:
+
+ - The IP addresses of all devices on the exemption list must be added individually under **Endpoint 2**.
+
+ - Authentication mode is set to **Do not authenticate**.
+
+**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
new file mode 100644
index 0000000000..fb984adf5f
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
@@ -0,0 +1,27 @@
+---
+title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10)
+description: GPO\_DOMISO\_IsolatedDomain\_Servers
+ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_IsolatedDomain\_Servers
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
+
+Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
+
+- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008).
+
+ >**Important:** Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
+
+**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)
+
diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md
index cf4d35de03..805ac84dfc 100644
--- a/windows/keep-secure/guidance-and-best-practices-edp.md
+++ b/windows/keep-secure/guidance-and-best-practices-edp.md
@@ -2,10 +2,11 @@
title: General guidance and best practices for enterprise data protection (EDP) (Windows 10)
description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
-keywords: ["EDP", "Enterprise Data Protection"]
-ms.prod: W10
+keywords: EDP, Enterprise Data Protection
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/how-applocker-works-techref.md b/windows/keep-secure/how-applocker-works-techref.md
index ad2bc595e0..f9bf8450f5 100644
--- a/windows/keep-secure/how-applocker-works-techref.md
+++ b/windows/keep-secure/how-applocker-works-techref.md
@@ -2,7 +2,7 @@
title: How AppLocker works (Windows 10)
description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md
index 275dfdaccb..6a307acac3 100644
--- a/windows/keep-secure/how-to-configure-security-policy-settings.md
+++ b/windows/keep-secure/how-to-configure-security-policy-settings.md
@@ -3,7 +3,7 @@ title: Configure security policy settings (Windows 10)
description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/how-user-account-control-works.md b/windows/keep-secure/how-user-account-control-works.md
index ca5e6eef25..90bba5477f 100644
--- a/windows/keep-secure/how-user-account-control-works.md
+++ b/windows/keep-secure/how-user-account-control-works.md
@@ -2,7 +2,7 @@
title: How User Account Control works (Windows 10)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: operate
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
new file mode 100644
index 0000000000..b1adf33fd9
--- /dev/null
+++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -0,0 +1,60 @@
+---
+title: Identifying Your Windows Firewall with Advanced Security Deployment Goals (Windows 10)
+description: Identifying Your Windows Firewall with Advanced Security Deployment Goals
+ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Identifying Your Windows Firewall with Advanced Security Deployment Goals
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios.
+
+The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Firewall with Advanced Security deployment goals.
+
+
+
+
+
+
+
+
+
Deployment goal tasks
+
Reference links
+
+
+
+
+
Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.
+
Predefined deployment goals:
+
+
[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
+
[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
+
[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
+
[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
+
+
+
+
Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design.
+
+
[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+
+
+
+
Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan.
+
+
[Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+
[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+
+
+
+
+
+**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
diff --git a/windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif b/windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif
new file mode 100644
index 0000000000..374b1fe60e
Binary files /dev/null and b/windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif differ
diff --git a/windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif b/windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif
new file mode 100644
index 0000000000..60246363c0
Binary files /dev/null and b/windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif differ
diff --git a/windows/keep-secure/images/ad-sites-and-services.png b/windows/keep-secure/images/ad-sites-and-services.png
new file mode 100644
index 0000000000..74758aef69
Binary files /dev/null and b/windows/keep-secure/images/ad-sites-and-services.png differ
diff --git a/windows/keep-secure/images/adsi-edit.png b/windows/keep-secure/images/adsi-edit.png
new file mode 100644
index 0000000000..2d0c4d0af7
Binary files /dev/null and b/windows/keep-secure/images/adsi-edit.png differ
diff --git a/windows/keep-secure/images/advanced-sharing.png b/windows/keep-secure/images/advanced-sharing.png
new file mode 100644
index 0000000000..f72b7dd37b
Binary files /dev/null and b/windows/keep-secure/images/advanced-sharing.png differ
diff --git a/windows/keep-secure/images/auditpol-guid-list.png b/windows/keep-secure/images/auditpol-guid-list.png
new file mode 100644
index 0000000000..d69583ad89
Binary files /dev/null and b/windows/keep-secure/images/auditpol-guid-list.png differ
diff --git a/windows/keep-secure/images/auditpol-list-subcategory.png b/windows/keep-secure/images/auditpol-list-subcategory.png
new file mode 100644
index 0000000000..91f043fc24
Binary files /dev/null and b/windows/keep-secure/images/auditpol-list-subcategory.png differ
diff --git a/windows/keep-secure/images/auditpol-list-user.png b/windows/keep-secure/images/auditpol-list-user.png
new file mode 100644
index 0000000000..cabf86563d
Binary files /dev/null and b/windows/keep-secure/images/auditpol-list-user.png differ
diff --git a/windows/keep-secure/images/auditpol.png b/windows/keep-secure/images/auditpol.png
new file mode 100644
index 0000000000..cabf86563d
Binary files /dev/null and b/windows/keep-secure/images/auditpol.png differ
diff --git a/windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif b/windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif
new file mode 100644
index 0000000000..2d1bf229c3
Binary files /dev/null and b/windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif differ
diff --git a/windows/keep-secure/images/branchcache-properties.png b/windows/keep-secure/images/branchcache-properties.png
new file mode 100644
index 0000000000..31f13be679
Binary files /dev/null and b/windows/keep-secure/images/branchcache-properties.png differ
diff --git a/windows/keep-secure/images/certutil-command.png b/windows/keep-secure/images/certutil-command.png
new file mode 100644
index 0000000000..ce60fa8034
Binary files /dev/null and b/windows/keep-secure/images/certutil-command.png differ
diff --git a/windows/keep-secure/images/computer-management.png b/windows/keep-secure/images/computer-management.png
new file mode 100644
index 0000000000..74548ab836
Binary files /dev/null and b/windows/keep-secure/images/computer-management.png differ
diff --git a/windows/keep-secure/images/corpnet.gif b/windows/keep-secure/images/corpnet.gif
new file mode 100644
index 0000000000..f76182ee25
Binary files /dev/null and b/windows/keep-secure/images/corpnet.gif differ
diff --git a/windows/keep-secure/images/createipsecrule.gif b/windows/keep-secure/images/createipsecrule.gif
new file mode 100644
index 0000000000..91016f03da
Binary files /dev/null and b/windows/keep-secure/images/createipsecrule.gif differ
diff --git a/windows/keep-secure/images/diskpart.png b/windows/keep-secure/images/diskpart.png
new file mode 100644
index 0000000000..f2ebf04b35
Binary files /dev/null and b/windows/keep-secure/images/diskpart.png differ
diff --git a/windows/keep-secure/images/edp-intune-app-reconfig-warning.png b/windows/keep-secure/images/edp-intune-app-reconfig-warning.png
new file mode 100644
index 0000000000..af36a7cc4e
Binary files /dev/null and b/windows/keep-secure/images/edp-intune-app-reconfig-warning.png differ
diff --git a/windows/keep-secure/images/event-1100.png b/windows/keep-secure/images/event-1100.png
new file mode 100644
index 0000000000..aea16fdfc2
Binary files /dev/null and b/windows/keep-secure/images/event-1100.png differ
diff --git a/windows/keep-secure/images/event-1102.png b/windows/keep-secure/images/event-1102.png
new file mode 100644
index 0000000000..3d342a51fa
Binary files /dev/null and b/windows/keep-secure/images/event-1102.png differ
diff --git a/windows/keep-secure/images/event-1104.png b/windows/keep-secure/images/event-1104.png
new file mode 100644
index 0000000000..b275530d7a
Binary files /dev/null and b/windows/keep-secure/images/event-1104.png differ
diff --git a/windows/keep-secure/images/event-1105.png b/windows/keep-secure/images/event-1105.png
new file mode 100644
index 0000000000..cedf9019f6
Binary files /dev/null and b/windows/keep-secure/images/event-1105.png differ
diff --git a/windows/keep-secure/images/event-1108.png b/windows/keep-secure/images/event-1108.png
new file mode 100644
index 0000000000..aa55df090d
Binary files /dev/null and b/windows/keep-secure/images/event-1108.png differ
diff --git a/windows/keep-secure/images/event-4608.png b/windows/keep-secure/images/event-4608.png
new file mode 100644
index 0000000000..256605977f
Binary files /dev/null and b/windows/keep-secure/images/event-4608.png differ
diff --git a/windows/keep-secure/images/event-4610.png b/windows/keep-secure/images/event-4610.png
new file mode 100644
index 0000000000..0046d6c73d
Binary files /dev/null and b/windows/keep-secure/images/event-4610.png differ
diff --git a/windows/keep-secure/images/event-4611.png b/windows/keep-secure/images/event-4611.png
new file mode 100644
index 0000000000..f0721a4860
Binary files /dev/null and b/windows/keep-secure/images/event-4611.png differ
diff --git a/windows/keep-secure/images/event-4614.png b/windows/keep-secure/images/event-4614.png
new file mode 100644
index 0000000000..aaa731eacb
Binary files /dev/null and b/windows/keep-secure/images/event-4614.png differ
diff --git a/windows/keep-secure/images/event-4616.png b/windows/keep-secure/images/event-4616.png
new file mode 100644
index 0000000000..f33eb34fef
Binary files /dev/null and b/windows/keep-secure/images/event-4616.png differ
diff --git a/windows/keep-secure/images/event-4618.png b/windows/keep-secure/images/event-4618.png
new file mode 100644
index 0000000000..7e98ebf7d0
Binary files /dev/null and b/windows/keep-secure/images/event-4618.png differ
diff --git a/windows/keep-secure/images/event-4622.png b/windows/keep-secure/images/event-4622.png
new file mode 100644
index 0000000000..4283128955
Binary files /dev/null and b/windows/keep-secure/images/event-4622.png differ
diff --git a/windows/keep-secure/images/event-4624.png b/windows/keep-secure/images/event-4624.png
new file mode 100644
index 0000000000..f12908f0b0
Binary files /dev/null and b/windows/keep-secure/images/event-4624.png differ
diff --git a/windows/keep-secure/images/event-4625.png b/windows/keep-secure/images/event-4625.png
new file mode 100644
index 0000000000..4ca8559f18
Binary files /dev/null and b/windows/keep-secure/images/event-4625.png differ
diff --git a/windows/keep-secure/images/event-4626.png b/windows/keep-secure/images/event-4626.png
new file mode 100644
index 0000000000..9d2aa55f16
Binary files /dev/null and b/windows/keep-secure/images/event-4626.png differ
diff --git a/windows/keep-secure/images/event-4627.png b/windows/keep-secure/images/event-4627.png
new file mode 100644
index 0000000000..53e75a4a88
Binary files /dev/null and b/windows/keep-secure/images/event-4627.png differ
diff --git a/windows/keep-secure/images/event-4634.png b/windows/keep-secure/images/event-4634.png
new file mode 100644
index 0000000000..e014592cc8
Binary files /dev/null and b/windows/keep-secure/images/event-4634.png differ
diff --git a/windows/keep-secure/images/event-4647.png b/windows/keep-secure/images/event-4647.png
new file mode 100644
index 0000000000..f11ddf8996
Binary files /dev/null and b/windows/keep-secure/images/event-4647.png differ
diff --git a/windows/keep-secure/images/event-4648.png b/windows/keep-secure/images/event-4648.png
new file mode 100644
index 0000000000..54721193e7
Binary files /dev/null and b/windows/keep-secure/images/event-4648.png differ
diff --git a/windows/keep-secure/images/event-4656.png b/windows/keep-secure/images/event-4656.png
new file mode 100644
index 0000000000..aba3b592a8
Binary files /dev/null and b/windows/keep-secure/images/event-4656.png differ
diff --git a/windows/keep-secure/images/event-4657.png b/windows/keep-secure/images/event-4657.png
new file mode 100644
index 0000000000..4b0ffbad21
Binary files /dev/null and b/windows/keep-secure/images/event-4657.png differ
diff --git a/windows/keep-secure/images/event-4658.png b/windows/keep-secure/images/event-4658.png
new file mode 100644
index 0000000000..7bf584e4f4
Binary files /dev/null and b/windows/keep-secure/images/event-4658.png differ
diff --git a/windows/keep-secure/images/event-4660.png b/windows/keep-secure/images/event-4660.png
new file mode 100644
index 0000000000..55c57de435
Binary files /dev/null and b/windows/keep-secure/images/event-4660.png differ
diff --git a/windows/keep-secure/images/event-4661.png b/windows/keep-secure/images/event-4661.png
new file mode 100644
index 0000000000..f2b6f57b5b
Binary files /dev/null and b/windows/keep-secure/images/event-4661.png differ
diff --git a/windows/keep-secure/images/event-4662.png b/windows/keep-secure/images/event-4662.png
new file mode 100644
index 0000000000..d2d50bda5a
Binary files /dev/null and b/windows/keep-secure/images/event-4662.png differ
diff --git a/windows/keep-secure/images/event-4663.png b/windows/keep-secure/images/event-4663.png
new file mode 100644
index 0000000000..13629253a0
Binary files /dev/null and b/windows/keep-secure/images/event-4663.png differ
diff --git a/windows/keep-secure/images/event-4664.png b/windows/keep-secure/images/event-4664.png
new file mode 100644
index 0000000000..07b9624fdf
Binary files /dev/null and b/windows/keep-secure/images/event-4664.png differ
diff --git a/windows/keep-secure/images/event-4670.png b/windows/keep-secure/images/event-4670.png
new file mode 100644
index 0000000000..664fdca981
Binary files /dev/null and b/windows/keep-secure/images/event-4670.png differ
diff --git a/windows/keep-secure/images/event-4672.png b/windows/keep-secure/images/event-4672.png
new file mode 100644
index 0000000000..12a54cb1a8
Binary files /dev/null and b/windows/keep-secure/images/event-4672.png differ
diff --git a/windows/keep-secure/images/event-4673.png b/windows/keep-secure/images/event-4673.png
new file mode 100644
index 0000000000..ac773069eb
Binary files /dev/null and b/windows/keep-secure/images/event-4673.png differ
diff --git a/windows/keep-secure/images/event-4674.png b/windows/keep-secure/images/event-4674.png
new file mode 100644
index 0000000000..a10eaaa6f7
Binary files /dev/null and b/windows/keep-secure/images/event-4674.png differ
diff --git a/windows/keep-secure/images/event-4688.png b/windows/keep-secure/images/event-4688.png
new file mode 100644
index 0000000000..5ce471eda2
Binary files /dev/null and b/windows/keep-secure/images/event-4688.png differ
diff --git a/windows/keep-secure/images/event-4689.png b/windows/keep-secure/images/event-4689.png
new file mode 100644
index 0000000000..1c80bf5428
Binary files /dev/null and b/windows/keep-secure/images/event-4689.png differ
diff --git a/windows/keep-secure/images/event-4690.png b/windows/keep-secure/images/event-4690.png
new file mode 100644
index 0000000000..400c1aa7df
Binary files /dev/null and b/windows/keep-secure/images/event-4690.png differ
diff --git a/windows/keep-secure/images/event-4691.png b/windows/keep-secure/images/event-4691.png
new file mode 100644
index 0000000000..8b5563f136
Binary files /dev/null and b/windows/keep-secure/images/event-4691.png differ
diff --git a/windows/keep-secure/images/event-4692.png b/windows/keep-secure/images/event-4692.png
new file mode 100644
index 0000000000..a26a483b4e
Binary files /dev/null and b/windows/keep-secure/images/event-4692.png differ
diff --git a/windows/keep-secure/images/event-4693.png b/windows/keep-secure/images/event-4693.png
new file mode 100644
index 0000000000..6180d34954
Binary files /dev/null and b/windows/keep-secure/images/event-4693.png differ
diff --git a/windows/keep-secure/images/event-4696.png b/windows/keep-secure/images/event-4696.png
new file mode 100644
index 0000000000..1169b0e437
Binary files /dev/null and b/windows/keep-secure/images/event-4696.png differ
diff --git a/windows/keep-secure/images/event-4697.png b/windows/keep-secure/images/event-4697.png
new file mode 100644
index 0000000000..4cafd71282
Binary files /dev/null and b/windows/keep-secure/images/event-4697.png differ
diff --git a/windows/keep-secure/images/event-4698.png b/windows/keep-secure/images/event-4698.png
new file mode 100644
index 0000000000..d8c35fc625
Binary files /dev/null and b/windows/keep-secure/images/event-4698.png differ
diff --git a/windows/keep-secure/images/event-4699.png b/windows/keep-secure/images/event-4699.png
new file mode 100644
index 0000000000..5e11312a32
Binary files /dev/null and b/windows/keep-secure/images/event-4699.png differ
diff --git a/windows/keep-secure/images/event-4700.png b/windows/keep-secure/images/event-4700.png
new file mode 100644
index 0000000000..922b70cbbb
Binary files /dev/null and b/windows/keep-secure/images/event-4700.png differ
diff --git a/windows/keep-secure/images/event-4701.png b/windows/keep-secure/images/event-4701.png
new file mode 100644
index 0000000000..71d9ba8d82
Binary files /dev/null and b/windows/keep-secure/images/event-4701.png differ
diff --git a/windows/keep-secure/images/event-4702.png b/windows/keep-secure/images/event-4702.png
new file mode 100644
index 0000000000..58b66921ff
Binary files /dev/null and b/windows/keep-secure/images/event-4702.png differ
diff --git a/windows/keep-secure/images/event-4703-partial.png b/windows/keep-secure/images/event-4703-partial.png
new file mode 100644
index 0000000000..61df0471f9
Binary files /dev/null and b/windows/keep-secure/images/event-4703-partial.png differ
diff --git a/windows/keep-secure/images/event-4703.png b/windows/keep-secure/images/event-4703.png
new file mode 100644
index 0000000000..2ddb6584cd
Binary files /dev/null and b/windows/keep-secure/images/event-4703.png differ
diff --git a/windows/keep-secure/images/event-4704.png b/windows/keep-secure/images/event-4704.png
new file mode 100644
index 0000000000..a12b3d0e8e
Binary files /dev/null and b/windows/keep-secure/images/event-4704.png differ
diff --git a/windows/keep-secure/images/event-4705.png b/windows/keep-secure/images/event-4705.png
new file mode 100644
index 0000000000..fbea053355
Binary files /dev/null and b/windows/keep-secure/images/event-4705.png differ
diff --git a/windows/keep-secure/images/event-4706.png b/windows/keep-secure/images/event-4706.png
new file mode 100644
index 0000000000..d692c6de11
Binary files /dev/null and b/windows/keep-secure/images/event-4706.png differ
diff --git a/windows/keep-secure/images/event-4707.png b/windows/keep-secure/images/event-4707.png
new file mode 100644
index 0000000000..455e4aea5c
Binary files /dev/null and b/windows/keep-secure/images/event-4707.png differ
diff --git a/windows/keep-secure/images/event-4713.png b/windows/keep-secure/images/event-4713.png
new file mode 100644
index 0000000000..a5577751f2
Binary files /dev/null and b/windows/keep-secure/images/event-4713.png differ
diff --git a/windows/keep-secure/images/event-4714.png b/windows/keep-secure/images/event-4714.png
new file mode 100644
index 0000000000..b7aba8b550
Binary files /dev/null and b/windows/keep-secure/images/event-4714.png differ
diff --git a/windows/keep-secure/images/event-4715.png b/windows/keep-secure/images/event-4715.png
new file mode 100644
index 0000000000..d61cdf4bee
Binary files /dev/null and b/windows/keep-secure/images/event-4715.png differ
diff --git a/windows/keep-secure/images/event-4716.png b/windows/keep-secure/images/event-4716.png
new file mode 100644
index 0000000000..34b7456f04
Binary files /dev/null and b/windows/keep-secure/images/event-4716.png differ
diff --git a/windows/keep-secure/images/event-4717.png b/windows/keep-secure/images/event-4717.png
new file mode 100644
index 0000000000..2ada59cc59
Binary files /dev/null and b/windows/keep-secure/images/event-4717.png differ
diff --git a/windows/keep-secure/images/event-4718.png b/windows/keep-secure/images/event-4718.png
new file mode 100644
index 0000000000..1cfddd3e3b
Binary files /dev/null and b/windows/keep-secure/images/event-4718.png differ
diff --git a/windows/keep-secure/images/event-4719.png b/windows/keep-secure/images/event-4719.png
new file mode 100644
index 0000000000..4cc7540a6c
Binary files /dev/null and b/windows/keep-secure/images/event-4719.png differ
diff --git a/windows/keep-secure/images/event-4720.png b/windows/keep-secure/images/event-4720.png
new file mode 100644
index 0000000000..d5c0d35986
Binary files /dev/null and b/windows/keep-secure/images/event-4720.png differ
diff --git a/windows/keep-secure/images/event-4722.png b/windows/keep-secure/images/event-4722.png
new file mode 100644
index 0000000000..0796375b65
Binary files /dev/null and b/windows/keep-secure/images/event-4722.png differ
diff --git a/windows/keep-secure/images/event-4723.png b/windows/keep-secure/images/event-4723.png
new file mode 100644
index 0000000000..e8f55a4cf3
Binary files /dev/null and b/windows/keep-secure/images/event-4723.png differ
diff --git a/windows/keep-secure/images/event-4724.png b/windows/keep-secure/images/event-4724.png
new file mode 100644
index 0000000000..d51ee410e3
Binary files /dev/null and b/windows/keep-secure/images/event-4724.png differ
diff --git a/windows/keep-secure/images/event-4725.png b/windows/keep-secure/images/event-4725.png
new file mode 100644
index 0000000000..961f810c35
Binary files /dev/null and b/windows/keep-secure/images/event-4725.png differ
diff --git a/windows/keep-secure/images/event-4726.png b/windows/keep-secure/images/event-4726.png
new file mode 100644
index 0000000000..6bcdae24fb
Binary files /dev/null and b/windows/keep-secure/images/event-4726.png differ
diff --git a/windows/keep-secure/images/event-4731.png b/windows/keep-secure/images/event-4731.png
new file mode 100644
index 0000000000..3547a1397c
Binary files /dev/null and b/windows/keep-secure/images/event-4731.png differ
diff --git a/windows/keep-secure/images/event-4732.png b/windows/keep-secure/images/event-4732.png
new file mode 100644
index 0000000000..62cdd84ef7
Binary files /dev/null and b/windows/keep-secure/images/event-4732.png differ
diff --git a/windows/keep-secure/images/event-4733.png b/windows/keep-secure/images/event-4733.png
new file mode 100644
index 0000000000..7ebc924898
Binary files /dev/null and b/windows/keep-secure/images/event-4733.png differ
diff --git a/windows/keep-secure/images/event-4734.png b/windows/keep-secure/images/event-4734.png
new file mode 100644
index 0000000000..4df94214f8
Binary files /dev/null and b/windows/keep-secure/images/event-4734.png differ
diff --git a/windows/keep-secure/images/event-4735.png b/windows/keep-secure/images/event-4735.png
new file mode 100644
index 0000000000..dc3fbe0f84
Binary files /dev/null and b/windows/keep-secure/images/event-4735.png differ
diff --git a/windows/keep-secure/images/event-4738.png b/windows/keep-secure/images/event-4738.png
new file mode 100644
index 0000000000..3b540b816e
Binary files /dev/null and b/windows/keep-secure/images/event-4738.png differ
diff --git a/windows/keep-secure/images/event-4739.png b/windows/keep-secure/images/event-4739.png
new file mode 100644
index 0000000000..5fb89bb560
Binary files /dev/null and b/windows/keep-secure/images/event-4739.png differ
diff --git a/windows/keep-secure/images/event-4740.png b/windows/keep-secure/images/event-4740.png
new file mode 100644
index 0000000000..19d652dac4
Binary files /dev/null and b/windows/keep-secure/images/event-4740.png differ
diff --git a/windows/keep-secure/images/event-4741.png b/windows/keep-secure/images/event-4741.png
new file mode 100644
index 0000000000..b06a01a83e
Binary files /dev/null and b/windows/keep-secure/images/event-4741.png differ
diff --git a/windows/keep-secure/images/event-4742.png b/windows/keep-secure/images/event-4742.png
new file mode 100644
index 0000000000..8922eb978b
Binary files /dev/null and b/windows/keep-secure/images/event-4742.png differ
diff --git a/windows/keep-secure/images/event-4743.png b/windows/keep-secure/images/event-4743.png
new file mode 100644
index 0000000000..1225c25c02
Binary files /dev/null and b/windows/keep-secure/images/event-4743.png differ
diff --git a/windows/keep-secure/images/event-4749.png b/windows/keep-secure/images/event-4749.png
new file mode 100644
index 0000000000..fad8e00ade
Binary files /dev/null and b/windows/keep-secure/images/event-4749.png differ
diff --git a/windows/keep-secure/images/event-4750.png b/windows/keep-secure/images/event-4750.png
new file mode 100644
index 0000000000..08d0b6c848
Binary files /dev/null and b/windows/keep-secure/images/event-4750.png differ
diff --git a/windows/keep-secure/images/event-4751.png b/windows/keep-secure/images/event-4751.png
new file mode 100644
index 0000000000..d9fd6c7928
Binary files /dev/null and b/windows/keep-secure/images/event-4751.png differ
diff --git a/windows/keep-secure/images/event-4752.png b/windows/keep-secure/images/event-4752.png
new file mode 100644
index 0000000000..3464cca5a3
Binary files /dev/null and b/windows/keep-secure/images/event-4752.png differ
diff --git a/windows/keep-secure/images/event-4753.png b/windows/keep-secure/images/event-4753.png
new file mode 100644
index 0000000000..41ee823086
Binary files /dev/null and b/windows/keep-secure/images/event-4753.png differ
diff --git a/windows/keep-secure/images/event-4764.png b/windows/keep-secure/images/event-4764.png
new file mode 100644
index 0000000000..5c376a7176
Binary files /dev/null and b/windows/keep-secure/images/event-4764.png differ
diff --git a/windows/keep-secure/images/event-4767.png b/windows/keep-secure/images/event-4767.png
new file mode 100644
index 0000000000..bb3c9a8524
Binary files /dev/null and b/windows/keep-secure/images/event-4767.png differ
diff --git a/windows/keep-secure/images/event-4768.png b/windows/keep-secure/images/event-4768.png
new file mode 100644
index 0000000000..6150806515
Binary files /dev/null and b/windows/keep-secure/images/event-4768.png differ
diff --git a/windows/keep-secure/images/event-4769.png b/windows/keep-secure/images/event-4769.png
new file mode 100644
index 0000000000..ad96b8df58
Binary files /dev/null and b/windows/keep-secure/images/event-4769.png differ
diff --git a/windows/keep-secure/images/event-4770.png b/windows/keep-secure/images/event-4770.png
new file mode 100644
index 0000000000..e780578ec3
Binary files /dev/null and b/windows/keep-secure/images/event-4770.png differ
diff --git a/windows/keep-secure/images/event-4771.png b/windows/keep-secure/images/event-4771.png
new file mode 100644
index 0000000000..b87ef7dc23
Binary files /dev/null and b/windows/keep-secure/images/event-4771.png differ
diff --git a/windows/keep-secure/images/event-4776.png b/windows/keep-secure/images/event-4776.png
new file mode 100644
index 0000000000..b0ffefdee9
Binary files /dev/null and b/windows/keep-secure/images/event-4776.png differ
diff --git a/windows/keep-secure/images/event-4778.png b/windows/keep-secure/images/event-4778.png
new file mode 100644
index 0000000000..0888c950de
Binary files /dev/null and b/windows/keep-secure/images/event-4778.png differ
diff --git a/windows/keep-secure/images/event-4779.png b/windows/keep-secure/images/event-4779.png
new file mode 100644
index 0000000000..f578cdd53f
Binary files /dev/null and b/windows/keep-secure/images/event-4779.png differ
diff --git a/windows/keep-secure/images/event-4781.png b/windows/keep-secure/images/event-4781.png
new file mode 100644
index 0000000000..f344879f9d
Binary files /dev/null and b/windows/keep-secure/images/event-4781.png differ
diff --git a/windows/keep-secure/images/event-4782.png b/windows/keep-secure/images/event-4782.png
new file mode 100644
index 0000000000..3f2822bf9c
Binary files /dev/null and b/windows/keep-secure/images/event-4782.png differ
diff --git a/windows/keep-secure/images/event-4793.png b/windows/keep-secure/images/event-4793.png
new file mode 100644
index 0000000000..2def52c754
Binary files /dev/null and b/windows/keep-secure/images/event-4793.png differ
diff --git a/windows/keep-secure/images/event-4794.png b/windows/keep-secure/images/event-4794.png
new file mode 100644
index 0000000000..08b15adb1e
Binary files /dev/null and b/windows/keep-secure/images/event-4794.png differ
diff --git a/windows/keep-secure/images/event-4798.png b/windows/keep-secure/images/event-4798.png
new file mode 100644
index 0000000000..727cf0ce90
Binary files /dev/null and b/windows/keep-secure/images/event-4798.png differ
diff --git a/windows/keep-secure/images/event-4799.png b/windows/keep-secure/images/event-4799.png
new file mode 100644
index 0000000000..2bbb69f812
Binary files /dev/null and b/windows/keep-secure/images/event-4799.png differ
diff --git a/windows/keep-secure/images/event-4800.png b/windows/keep-secure/images/event-4800.png
new file mode 100644
index 0000000000..e7354b3995
Binary files /dev/null and b/windows/keep-secure/images/event-4800.png differ
diff --git a/windows/keep-secure/images/event-4801.png b/windows/keep-secure/images/event-4801.png
new file mode 100644
index 0000000000..695e124a94
Binary files /dev/null and b/windows/keep-secure/images/event-4801.png differ
diff --git a/windows/keep-secure/images/event-4802.png b/windows/keep-secure/images/event-4802.png
new file mode 100644
index 0000000000..1225e2c79f
Binary files /dev/null and b/windows/keep-secure/images/event-4802.png differ
diff --git a/windows/keep-secure/images/event-4803.png b/windows/keep-secure/images/event-4803.png
new file mode 100644
index 0000000000..677663e56a
Binary files /dev/null and b/windows/keep-secure/images/event-4803.png differ
diff --git a/windows/keep-secure/images/event-4817.png b/windows/keep-secure/images/event-4817.png
new file mode 100644
index 0000000000..4d71e12ad1
Binary files /dev/null and b/windows/keep-secure/images/event-4817.png differ
diff --git a/windows/keep-secure/images/event-4818.png b/windows/keep-secure/images/event-4818.png
new file mode 100644
index 0000000000..65c049a552
Binary files /dev/null and b/windows/keep-secure/images/event-4818.png differ
diff --git a/windows/keep-secure/images/event-4819.png b/windows/keep-secure/images/event-4819.png
new file mode 100644
index 0000000000..7f56089668
Binary files /dev/null and b/windows/keep-secure/images/event-4819.png differ
diff --git a/windows/keep-secure/images/event-4826.png b/windows/keep-secure/images/event-4826.png
new file mode 100644
index 0000000000..326f7a2a02
Binary files /dev/null and b/windows/keep-secure/images/event-4826.png differ
diff --git a/windows/keep-secure/images/event-4865.png b/windows/keep-secure/images/event-4865.png
new file mode 100644
index 0000000000..ddbe9a6034
Binary files /dev/null and b/windows/keep-secure/images/event-4865.png differ
diff --git a/windows/keep-secure/images/event-4866.png b/windows/keep-secure/images/event-4866.png
new file mode 100644
index 0000000000..2015250a48
Binary files /dev/null and b/windows/keep-secure/images/event-4866.png differ
diff --git a/windows/keep-secure/images/event-4867.png b/windows/keep-secure/images/event-4867.png
new file mode 100644
index 0000000000..0f0b6c0662
Binary files /dev/null and b/windows/keep-secure/images/event-4867.png differ
diff --git a/windows/keep-secure/images/event-4902.png b/windows/keep-secure/images/event-4902.png
new file mode 100644
index 0000000000..9df8c87ecd
Binary files /dev/null and b/windows/keep-secure/images/event-4902.png differ
diff --git a/windows/keep-secure/images/event-4904.png b/windows/keep-secure/images/event-4904.png
new file mode 100644
index 0000000000..016ebf2d95
Binary files /dev/null and b/windows/keep-secure/images/event-4904.png differ
diff --git a/windows/keep-secure/images/event-4905.png b/windows/keep-secure/images/event-4905.png
new file mode 100644
index 0000000000..1366e366ef
Binary files /dev/null and b/windows/keep-secure/images/event-4905.png differ
diff --git a/windows/keep-secure/images/event-4906.png b/windows/keep-secure/images/event-4906.png
new file mode 100644
index 0000000000..043d6827aa
Binary files /dev/null and b/windows/keep-secure/images/event-4906.png differ
diff --git a/windows/keep-secure/images/event-4907.png b/windows/keep-secure/images/event-4907.png
new file mode 100644
index 0000000000..d29b170401
Binary files /dev/null and b/windows/keep-secure/images/event-4907.png differ
diff --git a/windows/keep-secure/images/event-4908.png b/windows/keep-secure/images/event-4908.png
new file mode 100644
index 0000000000..523cb84a9b
Binary files /dev/null and b/windows/keep-secure/images/event-4908.png differ
diff --git a/windows/keep-secure/images/event-4911.png b/windows/keep-secure/images/event-4911.png
new file mode 100644
index 0000000000..bfc3830df3
Binary files /dev/null and b/windows/keep-secure/images/event-4911.png differ
diff --git a/windows/keep-secure/images/event-4912.png b/windows/keep-secure/images/event-4912.png
new file mode 100644
index 0000000000..9a01e1273e
Binary files /dev/null and b/windows/keep-secure/images/event-4912.png differ
diff --git a/windows/keep-secure/images/event-4913.png b/windows/keep-secure/images/event-4913.png
new file mode 100644
index 0000000000..a2657ec645
Binary files /dev/null and b/windows/keep-secure/images/event-4913.png differ
diff --git a/windows/keep-secure/images/event-4928.png b/windows/keep-secure/images/event-4928.png
new file mode 100644
index 0000000000..8c0ad8368a
Binary files /dev/null and b/windows/keep-secure/images/event-4928.png differ
diff --git a/windows/keep-secure/images/event-4929.png b/windows/keep-secure/images/event-4929.png
new file mode 100644
index 0000000000..380b52aaee
Binary files /dev/null and b/windows/keep-secure/images/event-4929.png differ
diff --git a/windows/keep-secure/images/event-4930.png b/windows/keep-secure/images/event-4930.png
new file mode 100644
index 0000000000..9c28a8f677
Binary files /dev/null and b/windows/keep-secure/images/event-4930.png differ
diff --git a/windows/keep-secure/images/event-4931.png b/windows/keep-secure/images/event-4931.png
new file mode 100644
index 0000000000..fb7add47fc
Binary files /dev/null and b/windows/keep-secure/images/event-4931.png differ
diff --git a/windows/keep-secure/images/event-4932.png b/windows/keep-secure/images/event-4932.png
new file mode 100644
index 0000000000..5086bed8e7
Binary files /dev/null and b/windows/keep-secure/images/event-4932.png differ
diff --git a/windows/keep-secure/images/event-4933.png b/windows/keep-secure/images/event-4933.png
new file mode 100644
index 0000000000..49456d0e08
Binary files /dev/null and b/windows/keep-secure/images/event-4933.png differ
diff --git a/windows/keep-secure/images/event-4935.png b/windows/keep-secure/images/event-4935.png
new file mode 100644
index 0000000000..7a1c8a85ab
Binary files /dev/null and b/windows/keep-secure/images/event-4935.png differ
diff --git a/windows/keep-secure/images/event-4944.png b/windows/keep-secure/images/event-4944.png
new file mode 100644
index 0000000000..8c05133463
Binary files /dev/null and b/windows/keep-secure/images/event-4944.png differ
diff --git a/windows/keep-secure/images/event-4945.png b/windows/keep-secure/images/event-4945.png
new file mode 100644
index 0000000000..a3828ba271
Binary files /dev/null and b/windows/keep-secure/images/event-4945.png differ
diff --git a/windows/keep-secure/images/event-4946.png b/windows/keep-secure/images/event-4946.png
new file mode 100644
index 0000000000..d06ba42b67
Binary files /dev/null and b/windows/keep-secure/images/event-4946.png differ
diff --git a/windows/keep-secure/images/event-4947.png b/windows/keep-secure/images/event-4947.png
new file mode 100644
index 0000000000..ba67a44c7c
Binary files /dev/null and b/windows/keep-secure/images/event-4947.png differ
diff --git a/windows/keep-secure/images/event-4948.png b/windows/keep-secure/images/event-4948.png
new file mode 100644
index 0000000000..b956769c0a
Binary files /dev/null and b/windows/keep-secure/images/event-4948.png differ
diff --git a/windows/keep-secure/images/event-4949.png b/windows/keep-secure/images/event-4949.png
new file mode 100644
index 0000000000..c60530df7f
Binary files /dev/null and b/windows/keep-secure/images/event-4949.png differ
diff --git a/windows/keep-secure/images/event-4950.png b/windows/keep-secure/images/event-4950.png
new file mode 100644
index 0000000000..fcf6504a6b
Binary files /dev/null and b/windows/keep-secure/images/event-4950.png differ
diff --git a/windows/keep-secure/images/event-4951.png b/windows/keep-secure/images/event-4951.png
new file mode 100644
index 0000000000..164e6bc717
Binary files /dev/null and b/windows/keep-secure/images/event-4951.png differ
diff --git a/windows/keep-secure/images/event-4953.png b/windows/keep-secure/images/event-4953.png
new file mode 100644
index 0000000000..438e9bf324
Binary files /dev/null and b/windows/keep-secure/images/event-4953.png differ
diff --git a/windows/keep-secure/images/event-4954.png b/windows/keep-secure/images/event-4954.png
new file mode 100644
index 0000000000..33f6da3866
Binary files /dev/null and b/windows/keep-secure/images/event-4954.png differ
diff --git a/windows/keep-secure/images/event-4956.png b/windows/keep-secure/images/event-4956.png
new file mode 100644
index 0000000000..fad74aef48
Binary files /dev/null and b/windows/keep-secure/images/event-4956.png differ
diff --git a/windows/keep-secure/images/event-4957.png b/windows/keep-secure/images/event-4957.png
new file mode 100644
index 0000000000..8805c6964b
Binary files /dev/null and b/windows/keep-secure/images/event-4957.png differ
diff --git a/windows/keep-secure/images/event-4964.png b/windows/keep-secure/images/event-4964.png
new file mode 100644
index 0000000000..13dd095a3f
Binary files /dev/null and b/windows/keep-secure/images/event-4964.png differ
diff --git a/windows/keep-secure/images/event-4985.png b/windows/keep-secure/images/event-4985.png
new file mode 100644
index 0000000000..f182c22d48
Binary files /dev/null and b/windows/keep-secure/images/event-4985.png differ
diff --git a/windows/keep-secure/images/event-5024.png b/windows/keep-secure/images/event-5024.png
new file mode 100644
index 0000000000..900efa51c7
Binary files /dev/null and b/windows/keep-secure/images/event-5024.png differ
diff --git a/windows/keep-secure/images/event-5025.png b/windows/keep-secure/images/event-5025.png
new file mode 100644
index 0000000000..1af6e5594c
Binary files /dev/null and b/windows/keep-secure/images/event-5025.png differ
diff --git a/windows/keep-secure/images/event-5027.png b/windows/keep-secure/images/event-5027.png
new file mode 100644
index 0000000000..30f8e9887e
Binary files /dev/null and b/windows/keep-secure/images/event-5027.png differ
diff --git a/windows/keep-secure/images/event-5028.png b/windows/keep-secure/images/event-5028.png
new file mode 100644
index 0000000000..c4fffb4a49
Binary files /dev/null and b/windows/keep-secure/images/event-5028.png differ
diff --git a/windows/keep-secure/images/event-5031.png b/windows/keep-secure/images/event-5031.png
new file mode 100644
index 0000000000..854c827ce8
Binary files /dev/null and b/windows/keep-secure/images/event-5031.png differ
diff --git a/windows/keep-secure/images/event-5033.png b/windows/keep-secure/images/event-5033.png
new file mode 100644
index 0000000000..d8eaad7cef
Binary files /dev/null and b/windows/keep-secure/images/event-5033.png differ
diff --git a/windows/keep-secure/images/event-5034.png b/windows/keep-secure/images/event-5034.png
new file mode 100644
index 0000000000..2b3d8464da
Binary files /dev/null and b/windows/keep-secure/images/event-5034.png differ
diff --git a/windows/keep-secure/images/event-5058.png b/windows/keep-secure/images/event-5058.png
new file mode 100644
index 0000000000..9cc4569845
Binary files /dev/null and b/windows/keep-secure/images/event-5058.png differ
diff --git a/windows/keep-secure/images/event-5059.png b/windows/keep-secure/images/event-5059.png
new file mode 100644
index 0000000000..5896afdaa5
Binary files /dev/null and b/windows/keep-secure/images/event-5059.png differ
diff --git a/windows/keep-secure/images/event-5061.png b/windows/keep-secure/images/event-5061.png
new file mode 100644
index 0000000000..dd953b85be
Binary files /dev/null and b/windows/keep-secure/images/event-5061.png differ
diff --git a/windows/keep-secure/images/event-5136.png b/windows/keep-secure/images/event-5136.png
new file mode 100644
index 0000000000..e1b8a249fd
Binary files /dev/null and b/windows/keep-secure/images/event-5136.png differ
diff --git a/windows/keep-secure/images/event-5137.png b/windows/keep-secure/images/event-5137.png
new file mode 100644
index 0000000000..423a9e4e9c
Binary files /dev/null and b/windows/keep-secure/images/event-5137.png differ
diff --git a/windows/keep-secure/images/event-5138.png b/windows/keep-secure/images/event-5138.png
new file mode 100644
index 0000000000..fee3c30140
Binary files /dev/null and b/windows/keep-secure/images/event-5138.png differ
diff --git a/windows/keep-secure/images/event-5139.png b/windows/keep-secure/images/event-5139.png
new file mode 100644
index 0000000000..f4966fa100
Binary files /dev/null and b/windows/keep-secure/images/event-5139.png differ
diff --git a/windows/keep-secure/images/event-5140.png b/windows/keep-secure/images/event-5140.png
new file mode 100644
index 0000000000..927285b3cb
Binary files /dev/null and b/windows/keep-secure/images/event-5140.png differ
diff --git a/windows/keep-secure/images/event-5141.png b/windows/keep-secure/images/event-5141.png
new file mode 100644
index 0000000000..350ca4e5bf
Binary files /dev/null and b/windows/keep-secure/images/event-5141.png differ
diff --git a/windows/keep-secure/images/event-5142.png b/windows/keep-secure/images/event-5142.png
new file mode 100644
index 0000000000..c2fffdf288
Binary files /dev/null and b/windows/keep-secure/images/event-5142.png differ
diff --git a/windows/keep-secure/images/event-5143.png b/windows/keep-secure/images/event-5143.png
new file mode 100644
index 0000000000..c301bde59d
Binary files /dev/null and b/windows/keep-secure/images/event-5143.png differ
diff --git a/windows/keep-secure/images/event-5144.png b/windows/keep-secure/images/event-5144.png
new file mode 100644
index 0000000000..96a6176367
Binary files /dev/null and b/windows/keep-secure/images/event-5144.png differ
diff --git a/windows/keep-secure/images/event-5145.png b/windows/keep-secure/images/event-5145.png
new file mode 100644
index 0000000000..73c1364328
Binary files /dev/null and b/windows/keep-secure/images/event-5145.png differ
diff --git a/windows/keep-secure/images/event-5152.png b/windows/keep-secure/images/event-5152.png
new file mode 100644
index 0000000000..2f06bab5b4
Binary files /dev/null and b/windows/keep-secure/images/event-5152.png differ
diff --git a/windows/keep-secure/images/event-5154.png b/windows/keep-secure/images/event-5154.png
new file mode 100644
index 0000000000..1ee4716063
Binary files /dev/null and b/windows/keep-secure/images/event-5154.png differ
diff --git a/windows/keep-secure/images/event-5156.png b/windows/keep-secure/images/event-5156.png
new file mode 100644
index 0000000000..93ac25973a
Binary files /dev/null and b/windows/keep-secure/images/event-5156.png differ
diff --git a/windows/keep-secure/images/event-5157.png b/windows/keep-secure/images/event-5157.png
new file mode 100644
index 0000000000..d44c2b5188
Binary files /dev/null and b/windows/keep-secure/images/event-5157.png differ
diff --git a/windows/keep-secure/images/event-5158.png b/windows/keep-secure/images/event-5158.png
new file mode 100644
index 0000000000..65b65085d3
Binary files /dev/null and b/windows/keep-secure/images/event-5158.png differ
diff --git a/windows/keep-secure/images/event-5168.png b/windows/keep-secure/images/event-5168.png
new file mode 100644
index 0000000000..509000797f
Binary files /dev/null and b/windows/keep-secure/images/event-5168.png differ
diff --git a/windows/keep-secure/images/event-5376.png b/windows/keep-secure/images/event-5376.png
new file mode 100644
index 0000000000..b439b4ee5b
Binary files /dev/null and b/windows/keep-secure/images/event-5376.png differ
diff --git a/windows/keep-secure/images/event-5377.png b/windows/keep-secure/images/event-5377.png
new file mode 100644
index 0000000000..061f81ce3c
Binary files /dev/null and b/windows/keep-secure/images/event-5377.png differ
diff --git a/windows/keep-secure/images/event-5378.png b/windows/keep-secure/images/event-5378.png
new file mode 100644
index 0000000000..d89a1a40dd
Binary files /dev/null and b/windows/keep-secure/images/event-5378.png differ
diff --git a/windows/keep-secure/images/event-5447.png b/windows/keep-secure/images/event-5447.png
new file mode 100644
index 0000000000..97b8fd61a6
Binary files /dev/null and b/windows/keep-secure/images/event-5447.png differ
diff --git a/windows/keep-secure/images/event-5632.png b/windows/keep-secure/images/event-5632.png
new file mode 100644
index 0000000000..2d732bd578
Binary files /dev/null and b/windows/keep-secure/images/event-5632.png differ
diff --git a/windows/keep-secure/images/event-5633.png b/windows/keep-secure/images/event-5633.png
new file mode 100644
index 0000000000..a6a378c5f7
Binary files /dev/null and b/windows/keep-secure/images/event-5633.png differ
diff --git a/windows/keep-secure/images/event-5888.png b/windows/keep-secure/images/event-5888.png
new file mode 100644
index 0000000000..028ee2be06
Binary files /dev/null and b/windows/keep-secure/images/event-5888.png differ
diff --git a/windows/keep-secure/images/event-5889.png b/windows/keep-secure/images/event-5889.png
new file mode 100644
index 0000000000..2e1164bb69
Binary files /dev/null and b/windows/keep-secure/images/event-5889.png differ
diff --git a/windows/keep-secure/images/event-5890.png b/windows/keep-secure/images/event-5890.png
new file mode 100644
index 0000000000..46b9cc8e30
Binary files /dev/null and b/windows/keep-secure/images/event-5890.png differ
diff --git a/windows/keep-secure/images/event-6144.png b/windows/keep-secure/images/event-6144.png
new file mode 100644
index 0000000000..b13fba0760
Binary files /dev/null and b/windows/keep-secure/images/event-6144.png differ
diff --git a/windows/keep-secure/images/event-6145.png b/windows/keep-secure/images/event-6145.png
new file mode 100644
index 0000000000..31cca8d59e
Binary files /dev/null and b/windows/keep-secure/images/event-6145.png differ
diff --git a/windows/keep-secure/images/event-6416.png b/windows/keep-secure/images/event-6416.png
new file mode 100644
index 0000000000..d4ba5077b2
Binary files /dev/null and b/windows/keep-secure/images/event-6416.png differ
diff --git a/windows/keep-secure/images/event-6419.png b/windows/keep-secure/images/event-6419.png
new file mode 100644
index 0000000000..c1a5604016
Binary files /dev/null and b/windows/keep-secure/images/event-6419.png differ
diff --git a/windows/keep-secure/images/event-6420.png b/windows/keep-secure/images/event-6420.png
new file mode 100644
index 0000000000..546589127c
Binary files /dev/null and b/windows/keep-secure/images/event-6420.png differ
diff --git a/windows/keep-secure/images/event-6421.png b/windows/keep-secure/images/event-6421.png
new file mode 100644
index 0000000000..a3cbe78e3c
Binary files /dev/null and b/windows/keep-secure/images/event-6421.png differ
diff --git a/windows/keep-secure/images/event-6422.png b/windows/keep-secure/images/event-6422.png
new file mode 100644
index 0000000000..74b1575dae
Binary files /dev/null and b/windows/keep-secure/images/event-6422.png differ
diff --git a/windows/keep-secure/images/event-6423.png b/windows/keep-secure/images/event-6423.png
new file mode 100644
index 0000000000..dc383d254e
Binary files /dev/null and b/windows/keep-secure/images/event-6423.png differ
diff --git a/windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif b/windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif
new file mode 100644
index 0000000000..d3c8021646
Binary files /dev/null and b/windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif differ
diff --git a/windows/keep-secure/images/filters-xml-file.png b/windows/keep-secure/images/filters-xml-file.png
new file mode 100644
index 0000000000..9a35082fd7
Binary files /dev/null and b/windows/keep-secure/images/filters-xml-file.png differ
diff --git a/windows/keep-secure/images/firewall-settings-public-profile.png b/windows/keep-secure/images/firewall-settings-public-profile.png
new file mode 100644
index 0000000000..fc4ac0b4c6
Binary files /dev/null and b/windows/keep-secure/images/firewall-settings-public-profile.png differ
diff --git a/windows/keep-secure/images/group-policy-editor.png b/windows/keep-secure/images/group-policy-editor.png
new file mode 100644
index 0000000000..361e4c3943
Binary files /dev/null and b/windows/keep-secure/images/group-policy-editor.png differ
diff --git a/windows/keep-secure/images/group-policy.png b/windows/keep-secure/images/group-policy.png
new file mode 100644
index 0000000000..aa4dd8b838
Binary files /dev/null and b/windows/keep-secure/images/group-policy.png differ
diff --git a/windows/keep-secure/images/impact-property.png b/windows/keep-secure/images/impact-property.png
new file mode 100644
index 0000000000..b65b204b68
Binary files /dev/null and b/windows/keep-secure/images/impact-property.png differ
diff --git a/windows/keep-secure/images/ipconfig-command.png b/windows/keep-secure/images/ipconfig-command.png
new file mode 100644
index 0000000000..abebb23207
Binary files /dev/null and b/windows/keep-secure/images/ipconfig-command.png differ
diff --git a/windows/keep-secure/images/logging-settings-public-profile.png b/windows/keep-secure/images/logging-settings-public-profile.png
new file mode 100644
index 0000000000..32aceb9fee
Binary files /dev/null and b/windows/keep-secure/images/logging-settings-public-profile.png differ
diff --git a/windows/keep-secure/images/msb.png b/windows/keep-secure/images/msb.png
new file mode 100644
index 0000000000..fb546a41c4
Binary files /dev/null and b/windows/keep-secure/images/msb.png differ
diff --git a/windows/keep-secure/images/net-helpmsg-58.png b/windows/keep-secure/images/net-helpmsg-58.png
new file mode 100644
index 0000000000..53f96107ea
Binary files /dev/null and b/windows/keep-secure/images/net-helpmsg-58.png differ
diff --git a/windows/keep-secure/images/netsh-advfirewall-command.png b/windows/keep-secure/images/netsh-advfirewall-command.png
new file mode 100644
index 0000000000..56d7caa0c4
Binary files /dev/null and b/windows/keep-secure/images/netsh-advfirewall-command.png differ
diff --git a/windows/keep-secure/images/netsh-command.png b/windows/keep-secure/images/netsh-command.png
new file mode 100644
index 0000000000..56d7caa0c4
Binary files /dev/null and b/windows/keep-secure/images/netsh-command.png differ
diff --git a/windows/keep-secure/images/netsh-lan-command.png b/windows/keep-secure/images/netsh-lan-command.png
new file mode 100644
index 0000000000..776bbd1bd3
Binary files /dev/null and b/windows/keep-secure/images/netsh-lan-command.png differ
diff --git a/windows/keep-secure/images/offline-settings.png b/windows/keep-secure/images/offline-settings.png
new file mode 100644
index 0000000000..f9596725c1
Binary files /dev/null and b/windows/keep-secure/images/offline-settings.png differ
diff --git a/windows/keep-secure/images/powershelllogosmall.gif b/windows/keep-secure/images/powershelllogosmall.gif
new file mode 100644
index 0000000000..a27d8b9d9e
Binary files /dev/null and b/windows/keep-secure/images/powershelllogosmall.gif differ
diff --git a/windows/keep-secure/images/qmcryptoset.gif b/windows/keep-secure/images/qmcryptoset.gif
new file mode 100644
index 0000000000..4ba626b3ff
Binary files /dev/null and b/windows/keep-secure/images/qmcryptoset.gif differ
diff --git a/windows/keep-secure/images/query-session.png b/windows/keep-secure/images/query-session.png
new file mode 100644
index 0000000000..7e7a29e4fc
Binary files /dev/null and b/windows/keep-secure/images/query-session.png differ
diff --git a/windows/keep-secure/images/registry-editor-audit.png b/windows/keep-secure/images/registry-editor-audit.png
new file mode 100644
index 0000000000..055863b04b
Binary files /dev/null and b/windows/keep-secure/images/registry-editor-audit.png differ
diff --git a/windows/keep-secure/images/registry-editor-firewallrules.png b/windows/keep-secure/images/registry-editor-firewallrules.png
new file mode 100644
index 0000000000..5b3c291a9a
Binary files /dev/null and b/windows/keep-secure/images/registry-editor-firewallrules.png differ
diff --git a/windows/keep-secure/images/registry-editor.png b/windows/keep-secure/images/registry-editor.png
new file mode 100644
index 0000000000..5b3c291a9a
Binary files /dev/null and b/windows/keep-secure/images/registry-editor.png differ
diff --git a/windows/keep-secure/images/schema-search.png b/windows/keep-secure/images/schema-search.png
new file mode 100644
index 0000000000..6028e60fa1
Binary files /dev/null and b/windows/keep-secure/images/schema-search.png differ
diff --git a/windows/keep-secure/images/subkeys-under-security-key.png b/windows/keep-secure/images/subkeys-under-security-key.png
new file mode 100644
index 0000000000..fdef5ec55d
Binary files /dev/null and b/windows/keep-secure/images/subkeys-under-security-key.png differ
diff --git a/windows/keep-secure/images/subtree-deletion.png b/windows/keep-secure/images/subtree-deletion.png
new file mode 100644
index 0000000000..588960f260
Binary files /dev/null and b/windows/keep-secure/images/subtree-deletion.png differ
diff --git a/windows/keep-secure/images/synaptics.png b/windows/keep-secure/images/synaptics.png
new file mode 100644
index 0000000000..2ffc025437
Binary files /dev/null and b/windows/keep-secure/images/synaptics.png differ
diff --git a/windows/keep-secure/images/synaptics1.png b/windows/keep-secure/images/synaptics1.png
new file mode 100644
index 0000000000..81716c5ad1
Binary files /dev/null and b/windows/keep-secure/images/synaptics1.png differ
diff --git a/windows/keep-secure/images/synaptics2.png b/windows/keep-secure/images/synaptics2.png
new file mode 100644
index 0000000000..2fc2d10737
Binary files /dev/null and b/windows/keep-secure/images/synaptics2.png differ
diff --git a/windows/keep-secure/images/synaptics3.png b/windows/keep-secure/images/synaptics3.png
new file mode 100644
index 0000000000..cbcb7c466a
Binary files /dev/null and b/windows/keep-secure/images/synaptics3.png differ
diff --git a/windows/keep-secure/images/synaptics4.png b/windows/keep-secure/images/synaptics4.png
new file mode 100644
index 0000000000..67bfc1f857
Binary files /dev/null and b/windows/keep-secure/images/synaptics4.png differ
diff --git a/windows/keep-secure/images/synaptics5.png b/windows/keep-secure/images/synaptics5.png
new file mode 100644
index 0000000000..4e8285a462
Binary files /dev/null and b/windows/keep-secure/images/synaptics5.png differ
diff --git a/windows/keep-secure/images/synaptics6.png b/windows/keep-secure/images/synaptics6.png
new file mode 100644
index 0000000000..79c9b3a1a2
Binary files /dev/null and b/windows/keep-secure/images/synaptics6.png differ
diff --git a/windows/keep-secure/images/synaptics7.png b/windows/keep-secure/images/synaptics7.png
new file mode 100644
index 0000000000..2ffc025437
Binary files /dev/null and b/windows/keep-secure/images/synaptics7.png differ
diff --git a/windows/keep-secure/images/task-manager.png b/windows/keep-secure/images/task-manager.png
new file mode 100644
index 0000000000..47aa593f98
Binary files /dev/null and b/windows/keep-secure/images/task-manager.png differ
diff --git a/windows/keep-secure/images/wfas-design2example1.gif b/windows/keep-secure/images/wfas-design2example1.gif
new file mode 100644
index 0000000000..3d44049fa2
Binary files /dev/null and b/windows/keep-secure/images/wfas-design2example1.gif differ
diff --git a/windows/keep-secure/images/wfas-design3example1.gif b/windows/keep-secure/images/wfas-design3example1.gif
new file mode 100644
index 0000000000..cd11758ff4
Binary files /dev/null and b/windows/keep-secure/images/wfas-design3example1.gif differ
diff --git a/windows/keep-secure/images/wfas-designexample1.gif b/windows/keep-secure/images/wfas-designexample1.gif
new file mode 100644
index 0000000000..f2f730c70f
Binary files /dev/null and b/windows/keep-secure/images/wfas-designexample1.gif differ
diff --git a/windows/keep-secure/images/wfas-designflowchart1.gif b/windows/keep-secure/images/wfas-designflowchart1.gif
new file mode 100644
index 0000000000..369d0de563
Binary files /dev/null and b/windows/keep-secure/images/wfas-designflowchart1.gif differ
diff --git a/windows/keep-secure/images/wfas-domainiso.gif b/windows/keep-secure/images/wfas-domainiso.gif
new file mode 100644
index 0000000000..dd3040653f
Binary files /dev/null and b/windows/keep-secure/images/wfas-domainiso.gif differ
diff --git a/windows/keep-secure/images/wfas-domainisoencrypt.gif b/windows/keep-secure/images/wfas-domainisoencrypt.gif
new file mode 100644
index 0000000000..3ba2beae45
Binary files /dev/null and b/windows/keep-secure/images/wfas-domainisoencrypt.gif differ
diff --git a/windows/keep-secure/images/wfas-domainisohighsec.gif b/windows/keep-secure/images/wfas-domainisohighsec.gif
new file mode 100644
index 0000000000..49fae4ab6b
Binary files /dev/null and b/windows/keep-secure/images/wfas-domainisohighsec.gif differ
diff --git a/windows/keep-secure/images/wfas-domainnag.gif b/windows/keep-secure/images/wfas-domainnag.gif
new file mode 100644
index 0000000000..9e35fbc193
Binary files /dev/null and b/windows/keep-secure/images/wfas-domainnag.gif differ
diff --git a/windows/keep-secure/images/wfas-icon-checkbox.gif b/windows/keep-secure/images/wfas-icon-checkbox.gif
new file mode 100644
index 0000000000..5c7dfb0ebc
Binary files /dev/null and b/windows/keep-secure/images/wfas-icon-checkbox.gif differ
diff --git a/windows/keep-secure/images/wfas-implement.gif b/windows/keep-secure/images/wfas-implement.gif
new file mode 100644
index 0000000000..5a90b2fb97
Binary files /dev/null and b/windows/keep-secure/images/wfas-implement.gif differ
diff --git a/windows/keep-secure/images/wfasdomainisoboundary.gif b/windows/keep-secure/images/wfasdomainisoboundary.gif
new file mode 100644
index 0000000000..3c4c855649
Binary files /dev/null and b/windows/keep-secure/images/wfasdomainisoboundary.gif differ
diff --git a/windows/keep-secure/images/wfpstate-xml.png b/windows/keep-secure/images/wfpstate-xml.png
new file mode 100644
index 0000000000..88695f63ed
Binary files /dev/null and b/windows/keep-secure/images/wfpstate-xml.png differ
diff --git a/windows/keep-secure/images/whoami-privilege-list.png b/windows/keep-secure/images/whoami-privilege-list.png
new file mode 100644
index 0000000000..4c335aa7b5
Binary files /dev/null and b/windows/keep-secure/images/whoami-privilege-list.png differ
diff --git a/windows/keep-secure/images/windows-firewall-state-off.png b/windows/keep-secure/images/windows-firewall-state-off.png
new file mode 100644
index 0000000000..3be52d38ac
Binary files /dev/null and b/windows/keep-secure/images/windows-firewall-state-off.png differ
diff --git a/windows/keep-secure/images/windows-firewall-with-advanced-security.png b/windows/keep-secure/images/windows-firewall-with-advanced-security.png
new file mode 100644
index 0000000000..c6b59d896e
Binary files /dev/null and b/windows/keep-secure/images/windows-firewall-with-advanced-security.png differ
diff --git a/windows/keep-secure/images/windows-powershell-get-gpo.png b/windows/keep-secure/images/windows-powershell-get-gpo.png
new file mode 100644
index 0000000000..b6a818703c
Binary files /dev/null and b/windows/keep-secure/images/windows-powershell-get-gpo.png differ
diff --git a/windows/keep-secure/impersonate-a-client-after-authentication.md b/windows/keep-secure/impersonate-a-client-after-authentication.md
index 6735e29692..9dc1b4f485 100644
--- a/windows/keep-secure/impersonate-a-client-after-authentication.md
+++ b/windows/keep-secure/impersonate-a-client-after-authentication.md
@@ -2,7 +2,7 @@
title: Impersonate a client after authentication (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting.
ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 95e304939b..1680e13ed9 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -3,7 +3,7 @@ title: Implement Microsoft Passport in your organization (Windows 10)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
keywords: identity, PIN, biometric, Hello
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
new file mode 100644
index 0000000000..25f0fba560
--- /dev/null
+++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -0,0 +1,47 @@
+---
+title: Implementing Your Windows Firewall with Advanced Security Design Plan (Windows 10)
+description: Implementing Your Windows Firewall with Advanced Security Design Plan
+ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Implementing Your Windows Firewall with Advanced Security Design Plan
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan:
+
+- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
+
+- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone.
+
+- **Devices running operating systems other than Windows**. If your network includes devices that are not running the Windows operating system, then you must make sure that required communication with those devices is not blocked by the restrictions put in place by your design. You must do one of the following:
+
+ - Include those devices in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used.
+
+ - Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design.
+
+## How to implement your Windows Firewall with Advanced Security design using this guide
+
+
+The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
+
+
+
+Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design.
+
+- [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
+
+- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+
+- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+
+- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
+
+The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).
diff --git a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md
index 199d82deae..0f0e11976b 100644
--- a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md
+++ b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md
@@ -2,7 +2,7 @@
title: Import an AppLocker policy from another computer (Windows 10)
description: This topic for IT professionals describes how to import an AppLocker policy.
ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md
index a5dfd645ac..c03e2d5282 100644
--- a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md
@@ -2,7 +2,7 @@
title: Import an AppLocker policy into a GPO (Windows 10)
description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/increase-a-process-working-set.md b/windows/keep-secure/increase-a-process-working-set.md
index da0458fb81..237be32d51 100644
--- a/windows/keep-secure/increase-a-process-working-set.md
+++ b/windows/keep-secure/increase-a-process-working-set.md
@@ -2,7 +2,7 @@
title: Increase a process working set (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting.
ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/increase-scheduling-priority.md b/windows/keep-secure/increase-scheduling-priority.md
index a7d5d1646b..727d53c8e1 100644
--- a/windows/keep-secure/increase-scheduling-priority.md
+++ b/windows/keep-secure/increase-scheduling-priority.md
@@ -2,7 +2,7 @@
title: Increase scheduling priority (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting.
ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index 5b1c59fb81..b605acb372 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -2,7 +2,7 @@
title: Keep Windows 10 secure (Windows 10)
description: Learn about keeping Windows 10 and Windows 10 Mobile secure.
ms.assetid: EA559BA8-734F-41DB-A74A-D8DBF36BE920
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
index 2b407e7511..a1d2220641 100644
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -2,7 +2,7 @@
title: Initialize and configure ownership of the TPM (Windows 10)
description: This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys.
ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
index 99bab3e2fa..6bd8e60c5d 100644
--- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
@@ -3,7 +3,7 @@ title: Install digital certificates on Windows 10 Mobile (Windows 10)
description: Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information.
ms.assetid: FF7B1BE9-41F4-44B0-A442-249B650CEE25
keywords: S/MIME, PFX, SCEP
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -22,7 +22,7 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes
- To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.
- For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).
-## Install certificates using Internet Explorer
+## Install certificates using Microsoft Edge
A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device.
@@ -42,7 +42,7 @@ Windows 10 Mobile supports root, CA, and client certificate to be configured vi
3. The trusted CA certificate is installed directly during MDM request.
4. The device accepts certificate enrollment request.
5. The device generates private/public key pair.
-6. The device connects to Internet facing point exposed by MDM server.
+6. The device connects to Internet-facing point exposed by MDM server.
7. MDM server creates a certificate that is signed with proper CA certificate and returns it to device.
> **Note:** The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either:
diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
index 998c7d3a6d..7c1d049314 100644
--- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -2,7 +2,7 @@
title: Interactive logon Display user information when the session is locked (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Interactive logon Display user information when the session is locked security policy setting.
ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
index 945989b859..0177def043 100644
--- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
@@ -2,7 +2,7 @@
title: Interactive logon Do not display last user name (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting.
ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
index 34a748af68..f2741165ce 100644
--- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -2,7 +2,7 @@
title: Interactive logon Do not require CTRL+ALT+DEL (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting.
ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md
index 3e7824eedb..ee2f89dfe2 100644
--- a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md
+++ b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md
@@ -2,7 +2,7 @@
title: Interactive logon Machine account lockout threshold (Windows 10)
description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine account lockout threshold security policy setting.
ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md
index 9fb56662fb..5ecfd51a7e 100644
--- a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md
+++ b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md
@@ -2,7 +2,7 @@
title: Interactive logon Machine inactivity limit (Windows 10)
description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting.
ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 2277884c62..6ee93f3d7a 100644
--- a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -2,7 +2,7 @@
title: Interactive logon Message text for users attempting to log on (Windows 10)
description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Message text for users attempting to log on security policy setting.
ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md
index 7e5719c49b..5fd221ea00 100644
--- a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -2,7 +2,7 @@
title: Interactive logon Message title for users attempting to log on (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Message title for users attempting to log on security policy setting.
ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 651f08183b..c57b5db6e3 100644
--- a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -2,7 +2,7 @@
title: Interactive logon Number of previous logons to cache (in case domain controller is not available) (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Number of previous logons to cache (in case domain controller is not available) security policy setting.
ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 6e08f688d8..3b6173cf5c 100644
--- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -2,7 +2,7 @@
title: Interactive logon Prompt user to change password before expiration (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Prompt user to change password before expiration security policy setting.
ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index 9660b5770a..0faeff4378 100644
--- a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -2,7 +2,7 @@
title: Interactive logon Require Domain Controller authentication to unlock workstation (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require Domain Controller authentication to unlock workstation security policy setting.
ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md
index faf1834204..2441b3c3e7 100644
--- a/windows/keep-secure/interactive-logon-require-smart-card.md
+++ b/windows/keep-secure/interactive-logon-require-smart-card.md
@@ -2,7 +2,7 @@
title: Interactive logon Require smart card (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting.
ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md
index 29eba6fd2b..a2ba648b93 100644
--- a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md
@@ -2,7 +2,7 @@
title: Interactive logon Smart card removal behavior (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Smart card removal behavior security policy setting.
ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
index 02e10c15b7..d724b1862d 100644
--- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,11 @@ title: Investigate Windows Defender Advanced Threat Protection alerts
description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
---
# Investigate Windows Defender Advanced Threat Protection alerts
diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
index f5864ee6f3..fd75059fff 100644
--- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection domains
description: Use the investigation options to see if machines and servers have been communicating with malicious domains.
keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
# Investigate a domain associated with a Windows Defender ATP alert
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
index 3b0b76a04d..2f82d6927e 100644
--- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection files
description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
# Investigate a file associated with a Windows Defender ATP alert
diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
index 5e516f6425..e1427b0400 100644
--- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection IP address
description: Use the investigation options to examine possible communication between machines and external IP addresses.
keywords: investigate, investigation, IP address, alert, windows defender atp, external IP
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
# Investigate an IP address associated with a Windows Defender ATP alert
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index a248e46dd3..4778e194e5 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Investigate machines in the Windows Defender ATP Machines view
description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view.
keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md
new file mode 100644
index 0000000000..b7f6c3b921
--- /dev/null
+++ b/windows/keep-secure/isolated-domain-gpos.md
@@ -0,0 +1,26 @@
+---
+title: Isolated Domain GPOs (Windows 10)
+description: Isolated Domain GPOs
+ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Isolated Domain GPOs
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.
+
+Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section.
+
+The GPOs created for the Woodgrove Bank isolated domain include the following:
+
+- [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md)
+
+- [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md
new file mode 100644
index 0000000000..3d23484bf9
--- /dev/null
+++ b/windows/keep-secure/isolated-domain.md
@@ -0,0 +1,59 @@
+---
+title: Isolated Domain (Windows 10)
+description: Isolated Domain
+ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Isolated Domain
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone.
+
+The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution the two constructs are very similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted devices. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, devices that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain.
+
+For most implementations, an isolated domain will contain the largest number of devices. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones.
+
+You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+
+The GPOs for the isolated domain should contain the following connection security rules and settings.
+
+## GPO settings for isolated domain members running at least Windows Vista and Windows Server 2008
+
+
+GPOs for devices running at least Windows Vista and Windows Server 2008 should include the following:
+
+- IPsec default settings that specify the following options:
+
+ 1. Exempt all ICMP traffic from IPsec.
+
+ 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
+
+ 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members cannot use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method.
+
+- The following connection security rules:
+
+ - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment.
+
+ - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication by using Kerberos V5 authentication.
+
+ >**Important:** Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out.
+
+- A registry policy that includes the following values:
+
+ - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
+
+ >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
+
+**Next: **[Boundary Zone](boundary-zone.md)
diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md
new file mode 100644
index 0000000000..09367196c5
--- /dev/null
+++ b/windows/keep-secure/isolating-apps-on-your-network.md
@@ -0,0 +1,249 @@
+---
+title: Isolating Windows Store Apps on Your Network (Windows 10)
+description: Isolating Windows Store Apps on Your Network
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Isolating Windows Store Apps on Your Network
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
+
+For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
+
+The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the device, and the network. In addition, apps can be isolated and protected from malicious access from the network.
+
+When creating new Windows Store apps, a developer can define the following network capabilities for their app:
+
+- **Home\\Work Networking**
+
+ Provides inbound and outbound access to intranet networks that the user has designated as a home or a work network, or if the network has an authenticated domain controller.
+
+- **Internet (Client)**
+
+ Provides outbound access to the Internet and untrusted networks, such as airports and coffee shops (for example, intranet networks where the user has designated the network as Public). Most apps that require Internet access should use this capability.
+
+- **Internet (Client and Server)**
+
+ Provides inbound and outbound access to the Internet and untrusted networks, such as airports and coffee shops. This capability is a superset of the **Internet (Client)** capability, and **Internet (Client)** does not need to be enabled if this capability is enabled.
+
+- **Proximity**
+
+ Provides near-field communication (NFC) with devices that are in close proximity to the device. Proximity may be used to send files or connect with an application on a proximate device.
+
+**In this topic**
+
+To isolate Windows Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Windows Store app firewall rules.
+
+- [Prerequisites](#prerequisites)
+
+- [Step 1: Define your network](#step-1-Define-your-network)
+
+- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
+
+## Prerequisites
+
+- A domain controller is installed on your network, and your devices are joined to the Windows domain.
+
+- Your Windows Store app is installed on the client device.
+
+- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Firewall rules.
+
+ >**Note:** You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+
+
+## Step 1: Define your network
+
+The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Windows Store apps can access intranet resources appropriately.
+
+A network endpoint is considered part of the **Home\\Work Network** if:
+
+- It is part of the local subnet of a trusted network.
+
+ For example, home users generally flag their network as Trusted. Local devices will be designated as such.
+
+- A device is on a network, and it is authenticated to a domain controller.
+
+ - Endpoints within the intranet address space are considered private.
+
+ - Endpoints within the local subnet are considered private.
+
+- The device is configured for DirectAccess, and the endpoint is part of the intranet address space.
+
+The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative.
+
+Any proxies that you configure or that are automatically configured with proxy autoconfiguration (by using Web Proxy Auto-Discovery (WPAD) protocol) are exempt from the intranet zone. You can add proxy addresses by using Group Policy.
+
+All other endpoints that do not meet the previously stated criteria are considered endpoints on the Internet.
+
+**To configure a GPO that defines your intranet address space**
+
+1. Open the Group Policy Management snap-in (gpmc.msc) and edit the Default Domain Policy.
+
+2. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Administrative Templates**, expand **Network**, and click **Network Isolation**.
+
+3. In the right pane, double-click **Private network ranges for apps**.
+
+4. In the **Private network ranges for apps** dialog box, click **Enabled**. In the **Private subnets** text box, type the private subnets for your intranet, separated by commas if necessary.
+
+ For example, if the Contoso intranet is defined as 10.0.0.0 with a subnet mask of 255.255.255.0, you would type 10.0.0.0/24 in the **Private subnets** text box.
+
+5. Double-click **Subnet definitions are authoritative**.
+
+ If you want the subnet definitions that you previously created to be the single source for your subnet definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional subnets by using local settings or network isolation heuristics.
+
+**To configure the proxy addresses for the intranet and Internet**
+
+1. Double-click **Internet proxy servers for apps**. Click **Enabled**, and then in the **Domain Proxies** text box, type the IP addresses of your Internet proxy servers, separated by semicolons.
+
+2. Double-click **Intranet proxy servers for apps**. Click **Enabled**, and then in the IP address text box, type the IP addresses of your intranet proxy servers, separated by semicolons.
+
+3. Double-click **Proxy definitions are authoritative**.
+
+ If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics.
+
+## Step 2: Create custom firewall rules
+
+Windows Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
+
+The following table provides a complete list of the possible app capabilities.
+
+| Capability | Name | Description |
+| - | - | - |
+| **Internet (Client)** | internetClient | Your outgoing Internet connection.|
+| **Internet (Client & Server)** | internetClientServer| Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your device through a firewall. You do not need to declare **internetClient** if this capability is declared.
+| **Home\Work Networking** |privateNetworkClientServer| A home or work network. The app can send information to or from your device and other devices on the same network.|
+| **Document Library Access**| documentsLibrary| Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest.|
+| **Picture Library Access**| picturesLibrary| Your Pictures library, including the capability to add, change, or delete files.|
+| **Video Library Access**| videosLibrary| Your Videos library, including the capability to add, change, or delete files.|
+| **Music Library Access**| musicLibrary|Your Music library, including the capability to add, change, or delete files.|
+| **Default Windows Credentials**| defaultWindowsCredentials| Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.|
+| **Removable Storage** | removableStorage| A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.|
+| **Shared User Certificates**| sharedUserCertificates| Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.|
+| **Location**| location| Provides access to the user's current location.|
+| **Microphone** | microphone| Provides access to the microphone's audio feed.|
+| **Near-field Proximity** | proximity| Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.|
+| **Text Messaging** | sms| Provides access to text messaging functionality.|
+| **Webcam** | webcam| Provides access to the webcam's video feed.|
+| **Other devices (represented by GUIDs)** | <GUID>| Includes specialized devices and Windows Portable Devices.|
+
+You can create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
+
+For example, you could create a Windows Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
+
+**To block Internet access for any apps on your network that have the Documents Library capability**
+
+1. Open the Group Policy Management snap-in (gpmc.msc).
+
+2. In the left pane, right-click your domain name and click **Create a GPO in this domain, and link it here**.
+
+3. Type a name for the GPO in the **Name** text box, and then click **OK**.
+
+4. Right-click the new GPO, and then click **Edit**.
+
+5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and click **Windows Firewall with Advanced Security – LDAP://…**
+
+6. Right-click **Outbound Rules**, and then click **New Rule**.
+
+7. Click **Custom**, and then click **Next**.
+
+8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
+
+9. On the **Action** page, ensure that **Block the Connection** is selected, and then click **Next**.
+
+10. On the **Profile** page, click **Next**.
+
+11. On the **Name** page, type a name for your rule, and then click **Finish**.
+
+12. In the right pane, right-click your new rule and click **Properties**.
+
+13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
+
+14. Click **Application Package Properties**, and then click **OK**.
+
+15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\Your documents library**, and then click **OK**.
+
+16. Click the **Scope** tab under **Remote IP addresses**, and then click **Add**.
+
+17. Click **Predefined set of computers**, select **Internet**, and click **OK**.
+
+ This scopes the rule to block traffic to Internet devices.
+
+18. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**.
+
+19. Click **Apply to application packages only**, and then click **OK**.
+
+ >**Important:** You must do this to ensure that the rule applies only to Windows Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
+
+20. Click **OK** to close the **Properties** dialog box.
+
+21. Close the Group Policy Management Editor.
+
+22. In the Group Policy Management snap-in, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**. Click **Remove**, and then click **OK**.
+
+23. Under **Security Filtering**, click **Add**.
+
+24. Type **domain computers** in the text box, and then click **OK**.
+
+25. Close the Group Policy Management snap-in.
+
+Use the following procedure if you want to block intranet access for a specific media sharing app on your network.
+
+**To block intranet access for a specific media sharing app on your network**
+
+1. Open the Group Policy Management snap-in (gpmc.msc).
+
+2. In the left pane, right-click your domain name, and then click **Create a GPO in this domain, and link it here**.
+
+3. Type a name for your GPO in the **Name** text box, and then click **OK**.
+
+4. Right-click your new GPO, and then click **Edit**.
+
+5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then click **Windows Firewall with Advanced Security – LDAP://**…
+
+6. Right-click **Outbound Rules**, and then click **New Rule**.
+
+7. Click **Custom**, and then click **Next**.
+
+8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
+
+9. On the **Action** page, ensure **Block the Connection** is selected, and then click **Next**.
+
+10. On the **Profile** page, click **Next**.
+
+11. On the **Name** page, type a name for your rule, and then click **Finish**.
+
+12. In the right pane, right-click your new rule, and then click **Properties**.
+
+13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
+
+14. Click **Application Package Properties**, and then click **OK**.
+
+15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\A home or work network**, and then click **OK**.
+
+16. Click the **Programs and Services** tab under **Application Packages**, and then click **Settings**.
+
+17. Click **Apply to this application package**, select the app in the text box, and then click **OK**.
+
+18. Click **OK** to close the **Properties** dialog box.
+
+19. Close the Group Policy Management Editor.
+
+20. In Group Policy Management, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**, click **Remove**, and then click **OK**.
+
+21. Under **Security Filtering**, click **Add**.
+
+22. Type **domain computers** in the text box and click **OK**.
+
+23. Close Group Policy Management.
+
+## See also
+
+- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
diff --git a/windows/keep-secure/kerberos-policy.md b/windows/keep-secure/kerberos-policy.md
index fa68f49ac1..0cb40c4482 100644
--- a/windows/keep-secure/kerberos-policy.md
+++ b/windows/keep-secure/kerberos-policy.md
@@ -2,7 +2,7 @@
title: Kerberos Policy (Windows 10)
description: Describes the Kerberos Policy settings and provides links to policy setting descriptions.
ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/keep-secure/link-the-gpo-to-the-domain.md
new file mode 100644
index 0000000000..ab224211e6
--- /dev/null
+++ b/windows/keep-secure/link-the-gpo-to-the-domain.md
@@ -0,0 +1,38 @@
+---
+title: Link the GPO to the Domain (Windows 10)
+description: Link the GPO to the Domain
+ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Link the GPO to the Domain
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
+
+If the filters comprehensively control the application of the GPO to only the correct devices, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of devices.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Admins group, or otherwise be delegated permissions to modify the GPOs.
+
+To link the GPO to the domain container in Active Directory
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, and then expand *YourDomainName*.
+
+3. Right-click *YourDomainName*, and then click **Link an Existing GPO**.
+
+4. In the **Select GPO** dialog box, select the GPO that you want to deploy, and then click **OK**.
+
+5. The GPO appears in the **Linked Group Policy Objects** tab in the details pane and as a linked item under the domain container in the navigation pane.
+
+6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client device from the highest link order number to the lowest.
diff --git a/windows/keep-secure/load-and-unload-device-drivers.md b/windows/keep-secure/load-and-unload-device-drivers.md
index 0ef993463c..a0500dbf3c 100644
--- a/windows/keep-secure/load-and-unload-device-drivers.md
+++ b/windows/keep-secure/load-and-unload-device-drivers.md
@@ -2,7 +2,7 @@
title: Load and unload device drivers (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting.
ms.assetid: 66262532-c610-470c-9792-35ff4389430f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/lock-pages-in-memory.md b/windows/keep-secure/lock-pages-in-memory.md
index c2d3f4a39d..c1da29a511 100644
--- a/windows/keep-secure/lock-pages-in-memory.md
+++ b/windows/keep-secure/lock-pages-in-memory.md
@@ -2,7 +2,7 @@
title: Lock pages in memory (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting.
ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/log-on-as-a-batch-job.md b/windows/keep-secure/log-on-as-a-batch-job.md
index 6ffcaa330e..e2be507be1 100644
--- a/windows/keep-secure/log-on-as-a-batch-job.md
+++ b/windows/keep-secure/log-on-as-a-batch-job.md
@@ -2,7 +2,7 @@
title: Log on as a batch job (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting.
ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/log-on-as-a-service.md b/windows/keep-secure/log-on-as-a-service.md
index 04d7784d74..eff13752ec 100644
--- a/windows/keep-secure/log-on-as-a-service.md
+++ b/windows/keep-secure/log-on-as-a-service.md
@@ -2,7 +2,7 @@
title: Log on as a service (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting.
ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/maintain-applocker-policies.md b/windows/keep-secure/maintain-applocker-policies.md
index bc85d3af36..43bd39884e 100644
--- a/windows/keep-secure/maintain-applocker-policies.md
+++ b/windows/keep-secure/maintain-applocker-policies.md
@@ -2,7 +2,7 @@
title: Maintain AppLocker policies (Windows 10)
description: This topic describes how to maintain rules within AppLocker policies.
ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
index 12cc2527bd..718b2e22ce 100644
--- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,11 @@ title: Manage Windows Defender Advanced Threat Protection alerts
description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu.
keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
---
# Manage Windows Defender Advanced Threat Protection alerts
diff --git a/windows/keep-secure/manage-auditing-and-security-log.md b/windows/keep-secure/manage-auditing-and-security-log.md
index 48c840cc7b..7a6cfdc0ea 100644
--- a/windows/keep-secure/manage-auditing-and-security-log.md
+++ b/windows/keep-secure/manage-auditing-and-security-log.md
@@ -2,7 +2,7 @@
title: Manage auditing and security log (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting.
ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index 7f4b06da3d..dccabd045e 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -3,10 +3,10 @@ title: Manage identity verification using Microsoft Passport (Windows 10)
description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
keywords: identity, PIN, biometric, Hello
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: security, mobile
author: jdeckerMS
---
# Manage identity verification using Microsoft Passport
diff --git a/windows/keep-secure/manage-packaged-apps-with-applocker.md b/windows/keep-secure/manage-packaged-apps-with-applocker.md
index dcad549bfa..e1a7639af3 100644
--- a/windows/keep-secure/manage-packaged-apps-with-applocker.md
+++ b/windows/keep-secure/manage-packaged-apps-with-applocker.md
@@ -2,7 +2,7 @@
title: Manage packaged apps with AppLocker (Windows 10)
description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md
index 1aa0ca5061..0620207ec5 100644
--- a/windows/keep-secure/manage-tpm-commands.md
+++ b/windows/keep-secure/manage-tpm-commands.md
@@ -2,7 +2,7 @@
title: Manage TPM commands (Windows 10)
description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md
index 7c75700ed0..61c94cc77e 100644
--- a/windows/keep-secure/manage-tpm-lockout.md
+++ b/windows/keep-secure/manage-tpm-lockout.md
@@ -2,7 +2,7 @@
title: Manage TPM lockout (Windows 10)
description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
new file mode 100644
index 0000000000..3187e17371
--- /dev/null
+++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -0,0 +1,33 @@
+---
+title: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design (Windows 10)
+description: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
+ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
+
+>**Important:** The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
+
+Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security deployment goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security deployment goals to meet the needs of your organization.
+
+| Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design |
+| - |- | - | - | - |
+| [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes|
+| [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) | -| Yes| Yes| Yes|
+| [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)| -| -| Yes| Yes|
+| [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)| -| Optional| Optional| Optional|
+
+To examine details for a specific design, click the design title at the top of the column in the preceding table.
+
+**Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)
diff --git a/windows/keep-secure/maximum-lifetime-for-service-ticket.md b/windows/keep-secure/maximum-lifetime-for-service-ticket.md
index 3a0a6fff86..fd43969eb0 100644
--- a/windows/keep-secure/maximum-lifetime-for-service-ticket.md
+++ b/windows/keep-secure/maximum-lifetime-for-service-ticket.md
@@ -2,7 +2,7 @@
title: Maximum lifetime for service ticket (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting.
ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md
index c1f175c55b..f807fae4e2 100644
--- a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md
@@ -2,7 +2,7 @@
title: Maximum lifetime for user ticket renewal (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting.
ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket.md b/windows/keep-secure/maximum-lifetime-for-user-ticket.md
index e1a9089dd7..e37ae53435 100644
--- a/windows/keep-secure/maximum-lifetime-for-user-ticket.md
+++ b/windows/keep-secure/maximum-lifetime-for-user-ticket.md
@@ -2,7 +2,7 @@
title: Maximum lifetime for user ticket (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting.
ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/maximum-password-age.md b/windows/keep-secure/maximum-password-age.md
index 30fb8319a2..488f04f383 100644
--- a/windows/keep-secure/maximum-password-age.md
+++ b/windows/keep-secure/maximum-password-age.md
@@ -2,7 +2,7 @@
title: Maximum password age (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.
ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md
index f5f976b55a..63ebd1f934 100644
--- a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md
@@ -2,7 +2,7 @@
title: Maximum tolerance for computer clock synchronization (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting.
ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md
index 42b8495ede..2e095a1533 100644
--- a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -2,7 +2,7 @@
title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows 10)
description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/merge-applocker-policies-manually.md b/windows/keep-secure/merge-applocker-policies-manually.md
index c511afb3cd..2747de84e0 100644
--- a/windows/keep-secure/merge-applocker-policies-manually.md
+++ b/windows/keep-secure/merge-applocker-policies-manually.md
@@ -2,7 +2,7 @@
title: Merge AppLocker policies manually (Windows 10)
description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md
index 597e001a91..1cb4c83e11 100644
--- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md
@@ -2,7 +2,7 @@
title: Microsoft network client Digitally sign communications (always) (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index 3f25ac2921..4594534751 100644
--- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -2,7 +2,7 @@
title: Microsoft network client Digitally sign communications (if server agrees) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting.
ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 56635e06cc..901baabc0f 100644
--- a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -2,7 +2,7 @@
title: Microsoft network client Send unencrypted password to third-party SMB servers (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Send unencrypted password to third-party SMB servers security policy setting.
ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index 76e38d84c1..f124f2216c 100644
--- a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -2,7 +2,7 @@
title: Microsoft network server Amount of idle time required before suspending session (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Microsoft network server Amount of idle time required before suspending session security policy setting.
ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index ea1b074c71..d979a1d65a 100644
--- a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -2,7 +2,7 @@
title: Microsoft network server Attempt S4U2Self to obtain claim information (Windows 10)
description: Describes the best practices, location, values, management, and security considerations for the Microsoft network server Attempt S4U2Self to obtain claim information security policy setting.
ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md
index 23d423e6d9..e71590b3cf 100644
--- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md
@@ -2,7 +2,7 @@
title: Microsoft network server Digitally sign communications (always) (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index 2f327071cb..6ad33d8c8d 100644
--- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -2,7 +2,7 @@
title: Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting.
ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index b2737896f1..529004e2f0 100644
--- a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -2,7 +2,7 @@
title: Microsoft network server Disconnect clients when logon hours expire (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Microsoft network server Disconnect clients when logon hours expire security policy setting.
ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md
index b5d71aae14..6096400f68 100644
--- a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -2,7 +2,7 @@
title: Microsoft network server Server SPN target name validation level (Windows 10)
description: Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server Server SPN target name validation level security policy setting.
ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
index 4325261928..ceebe00f0a 100644
--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -2,7 +2,7 @@
title: Microsoft Passport and password changes (Windows 10)
description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device.
ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index a9483a0b56..490c5c9e6e 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -3,7 +3,7 @@ title: Microsoft Passport errors during PIN creation (Windows 10)
description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: PIN, error, create a work PIN
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index 70f6296988..b78b6f94f7 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -3,8 +3,7 @@ title: Microsoft Passport guide (Windows 10)
description: This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system.
ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84
keywords: security, credential, password, authentication
-ms.prod: W10
-ms.pagetype: security
+ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/minimum-password-age.md b/windows/keep-secure/minimum-password-age.md
index a975b21ff4..d56c232478 100644
--- a/windows/keep-secure/minimum-password-age.md
+++ b/windows/keep-secure/minimum-password-age.md
@@ -2,7 +2,7 @@
title: Minimum password age (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.
ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/minimum-password-length.md b/windows/keep-secure/minimum-password-length.md
index 79281f850c..39c8f9fa60 100644
--- a/windows/keep-secure/minimum-password-length.md
+++ b/windows/keep-secure/minimum-password-length.md
@@ -2,7 +2,7 @@
title: Minimum password length (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.
ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index fa17f2947f..91db7537e8 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Minimum requirements for Windows Defender Advanced Threat Protection
description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: iaanw
---
diff --git a/windows/keep-secure/modify-an-object-label.md b/windows/keep-secure/modify-an-object-label.md
index a984a42a33..fecfb339d8 100644
--- a/windows/keep-secure/modify-an-object-label.md
+++ b/windows/keep-secure/modify-an-object-label.md
@@ -2,7 +2,7 @@
title: Modify an object label (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting.
ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/modify-firmware-environment-values.md b/windows/keep-secure/modify-firmware-environment-values.md
index 2dcc1d8dfc..e4f6b85eb1 100644
--- a/windows/keep-secure/modify-firmware-environment-values.md
+++ b/windows/keep-secure/modify-firmware-environment-values.md
@@ -2,7 +2,7 @@
title: Modify firmware environment values (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting.
ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
new file mode 100644
index 0000000000..95ab7cda01
--- /dev/null
+++ b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -0,0 +1,74 @@
+---
+title: Modify GPO Filters to Apply to a Different Zone or Version of Windows (Windows 10)
+description: Modify GPO Filters to Apply to a Different Zone or Version of Windows
+ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Modify GPO Filters to Apply to a Different Zone or Version of Windows
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+In this topic:
+
+- [Change the security group filter for a GPO](#to-change-the-security-group-filter-for-a-gpo)
+
+- [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo)
+
+- [Remove a block for members of a group from applying a GPO](#to-remove-a-block-for-members-of-group-from-applying-a-gpo)
+
+## To change the security group filter for a GPO
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, find and then click the GPO that you want to modify.
+
+3. In the details pane, under **Security Filtering**, click the currently assigned security group, and then click **Remove**.
+
+4. Now you can add the appropriate security group to this GPO. Under **Security Filtering**, click **Add**.
+
+5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
+
+## To block members of a group from applying a GPO
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, find and then click the GPO that you want to modify.
+
+3. In the details pane, click the **Delegation** tab.
+
+4. Click **Advanced**.
+
+5. Under the **Group or user names** list, click **Add**.
+
+6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
+
+7. Select the group in the **Group or user names** list, and then select the boxes in the **Deny** column for both **Read** and **Apply group policy**.
+
+8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
+
+9. The group appears in the list with custom permissions.
+
+## To remove a block for members of group from applying a GPO
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, find and then click the GPO that you want to modify.
+
+3. In the details pane, click the **Delegation** tab.
+
+4. In the **Groups and users** list, select the group that should no longer be blocked, and then click **Remove**.
+
+5. In the message box, click **OK**.
diff --git a/windows/keep-secure/monitor-application-usage-with-applocker.md b/windows/keep-secure/monitor-application-usage-with-applocker.md
index 14b94f4745..87ead686b6 100644
--- a/windows/keep-secure/monitor-application-usage-with-applocker.md
+++ b/windows/keep-secure/monitor-application-usage-with-applocker.md
@@ -2,7 +2,7 @@
title: Monitor app usage with AppLocker (Windows 10)
description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md
index 11e4efc2be..6904612d1c 100644
--- a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md
@@ -2,7 +2,7 @@
title: Monitor central access policy and rule definitions (Windows 10)
description: This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/monitor-claim-types.md b/windows/keep-secure/monitor-claim-types.md
index 9220126e6c..fcbaaa93b0 100644
--- a/windows/keep-secure/monitor-claim-types.md
+++ b/windows/keep-secure/monitor-claim-types.md
@@ -2,7 +2,7 @@
title: Monitor claim types (Windows 10)
description: This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
index 67ff38e86d..8babe1f172 100644
--- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Monitor Windows Defender ATP onboarding
description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
diff --git a/windows/keep-secure/monitor-resource-attribute-definitions.md b/windows/keep-secure/monitor-resource-attribute-definitions.md
index 42bd9b783e..75bff821fe 100644
--- a/windows/keep-secure/monitor-resource-attribute-definitions.md
+++ b/windows/keep-secure/monitor-resource-attribute-definitions.md
@@ -2,7 +2,7 @@
title: Monitor resource attribute definitions (Windows 10)
description: This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md
index db6155e24b..74e926c90b 100644
--- a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -2,7 +2,7 @@
title: Monitor the central access policies associated with files and folders (Windows 10)
description: This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index aeee1c4b35..4e21c32c36 100644
--- a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -2,7 +2,7 @@
title: Monitor the central access policies that apply on a file server (Windows 10)
description: This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md
index fd2edb8b75..5849cc955c 100644
--- a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md
@@ -2,7 +2,7 @@
title: Monitor the resource attributes on files and folders (Windows 10)
description: This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md
index c850719ed9..7665d0dddc 100644
--- a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md
@@ -2,7 +2,7 @@
title: Monitor the use of removable storage devices (Windows 10)
description: This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md
index 8e767cf028..f95697b152 100644
--- a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md
@@ -2,7 +2,7 @@
title: Monitor user and device claims during sign-in (Windows 10)
description: This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md
index 6c14b5a06f..206c76f7fc 100644
--- a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md
@@ -2,7 +2,7 @@
title: Network access Allow anonymous SID/Name translation (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Allow anonymous SID/Name translation security policy setting.
ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index 52eb452b76..7de439ad10 100644
--- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -2,7 +2,7 @@
title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting.
ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 20f6455173..1a8d592782 100644
--- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -2,7 +2,7 @@
title: Network access Do not allow anonymous enumeration of SAM accounts (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting.
ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index ec12a8c647..a60b14af97 100644
--- a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -2,7 +2,7 @@
title: Network access Do not allow storage of passwords and credentials for network authentication (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Do not allow storage of passwords and credentials for network authentication security policy setting.
ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index eedd57751a..02f1530efb 100644
--- a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -2,7 +2,7 @@
title: Network access Let Everyone permissions apply to anonymous users (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting.
ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md
index ab8eff2298..68f545297d 100644
--- a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -2,7 +2,7 @@
title: Network access Named Pipes that can be accessed anonymously (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Named Pipes that can be accessed anonymously security policy setting.
ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md
index d7a01b9e6e..3dc22f67e2 100644
--- a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -2,7 +2,7 @@
title: Network access Remotely accessible registry paths and subpaths (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Network access Remotely accessible registry paths and subpaths security policy setting.
ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md
index 86fd1783e9..88c2340130 100644
--- a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md
+++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md
@@ -2,7 +2,7 @@
title: Network access Remotely accessible registry paths (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting.
ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 84be70c08b..75a2e71242 100644
--- a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -2,7 +2,7 @@
title: Network access Restrict anonymous access to Named Pipes and Shares (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Restrict anonymous access to Named Pipes and Shares security policy setting.
ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md
index b4505320e4..4f53f77bdc 100644
--- a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md
@@ -2,7 +2,7 @@
title: Network access Shares that can be accessed anonymously (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Shares that can be accessed anonymously security policy setting.
ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md
index fee079071d..aab32aedb6 100644
--- a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md
@@ -2,7 +2,7 @@
title: Network access Sharing and security model for local accounts (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Sharing and security model for local accounts security policy setting.
ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-list-manager-policies.md b/windows/keep-secure/network-list-manager-policies.md
index 11de5e4da7..1488ba7052 100644
--- a/windows/keep-secure/network-list-manager-policies.md
+++ b/windows/keep-secure/network-list-manager-policies.md
@@ -2,7 +2,7 @@
title: Network List Manager policies (Windows 10)
description: Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index 929606cb16..0c3458656e 100644
--- a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -2,7 +2,7 @@
title: Network security Allow Local System to use computer identity for NTLM (Windows 10)
description: Describes the location, values, policy management, and security considerations for the Network security Allow Local System to use computer identity for NTLM security policy setting.
ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md
index 34b487bba3..405f149efa 100644
--- a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md
@@ -2,7 +2,7 @@
title: Network security Allow LocalSystem NULL session fallback (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting.
ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index a381d1388c..fe460ccefd 100644
--- a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -2,7 +2,7 @@
title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10)
description: Describes the best practices, location, and values for the Network Security Allow PKU2U authentication requests to this computer to use online identities security policy setting.
ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md
index 7ca22f98c0..bcbe56a0ef 100644
--- a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -2,7 +2,7 @@
title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10)
description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting.
ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 95b335005c..11984a8b59 100644
--- a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -2,7 +2,7 @@
title: Network security Do not store LAN Manager hash value on next password change (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network security Do not store LAN Manager hash value on next password change security policy setting.
ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md
index f6dd03a829..a302a70695 100644
--- a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md
@@ -2,7 +2,7 @@
title: Network security Force logoff when logon hours expire (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network security Force logoff when logon hours expire security policy setting.
ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/keep-secure/network-security-lan-manager-authentication-level.md
index 5d8a5343aa..3ae2b1240e 100644
--- a/windows/keep-secure/network-security-lan-manager-authentication-level.md
+++ b/windows/keep-secure/network-security-lan-manager-authentication-level.md
@@ -2,7 +2,7 @@
title: Network security LAN Manager authentication level (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network security LAN Manager authentication level security policy setting.
ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/keep-secure/network-security-ldap-client-signing-requirements.md
index 5207e6e65f..158b64ed3c 100644
--- a/windows/keep-secure/network-security-ldap-client-signing-requirements.md
+++ b/windows/keep-secure/network-security-ldap-client-signing-requirements.md
@@ -2,7 +2,7 @@
title: Network security LDAP client signing requirements (Windows 10)
description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.
ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index ba6527767f..b9a0e71329 100644
--- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -2,7 +2,7 @@
title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting.
ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 6bd65a6591..752b9c97c1 100644
--- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -2,7 +2,7 @@
title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting.
ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index ca5c6d20da..74c9b41100 100644
--- a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -2,7 +2,7 @@
title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add remote server exceptions for NTLM authentication security policy setting.
ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index 8a29a1cbad..e16e7c0ff3 100644
--- a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -2,7 +2,7 @@
title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting.
ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index 30716f504d..f5b4bd4032 100644
--- a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -2,7 +2,7 @@
title: Network security Restrict NTLM Audit incoming NTLM traffic (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit incoming NTLM traffic security policy setting.
ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index 4bda1da37a..c4254e5036 100644
--- a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -2,7 +2,7 @@
title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting.
ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 270051f5d3..fba51b1a73 100644
--- a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -2,7 +2,7 @@
title: Network security Restrict NTLM Incoming NTLM traffic (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Incoming NTLM traffic security policy setting.
ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index 8389b3ad72..407c4b9976 100644
--- a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -2,7 +2,7 @@
title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting.
ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 439657d395..896cdbadc1 100644
--- a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -2,7 +2,7 @@
title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting.
ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
index baf6178433..eaaa736c69 100644
--- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Onboard endpoints and set up the Windows Defender ATP user access
description: Set up user access in Azure Active Directory and use Group Policy, SCCM, or do manual registry changes to onboard endpoints to the service.
keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: iaanw
---
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
new file mode 100644
index 0000000000..f29f5afbb7
--- /dev/null
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -0,0 +1,26 @@
+---
+title: Open the Group Policy Management Console to IP Security Policies (Windows 10)
+description: Open the Group Policy Management Console to IP Security Policies
+ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Open the Group Policy Management Console to IP Security Policies
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).
+
+**To open a GPO to the IP Security Policies section**
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
+
+3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (***YourDomainName***)**.
\ No newline at end of file
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
new file mode 100644
index 0000000000..e179647bac
--- /dev/null
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -0,0 +1,26 @@
+---
+title: Open the Group Policy Management Console to Windows Firewall with Advanced Security (Windows 10)
+description: Open the Group Policy Management Console to Windows Firewall with Advanced Security
+ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Open the Group Policy Management Console to Windows Firewall with Advanced Security
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.
+
+To open a GPO to Windows Firewall with Advanced Security
+
+1. Open the Group Policy Management console.
+
+2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
+
+3. In the navigation pane of the Group Policy Management Editor, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - LDAP://cn={***GUID***},cn=…**.
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
new file mode 100644
index 0000000000..2d848ec539
--- /dev/null
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
@@ -0,0 +1,26 @@
+---
+title: Open the Group Policy Management Console to Windows Firewall (Windows 10)
+description: Open the Group Policy Management Console to Windows Firewall
+ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Open the Group Policy Management Console to Windows Firewall
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To open a GPO to Windows Firewall
+
+1. Open the Active Directory Users and Computers console.
+
+2. In the navigation pane, expand *YourDomainName*, right-click the container that your GPO is linked to, and then click **Properties**.
+
+3. Click the **Group Policy** tab, select your GPO, and then click **Edit**.
+
+4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Firewall**.
diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-windows-firewall-with-advanced-security.md
new file mode 100644
index 0000000000..cda993d4ad
--- /dev/null
+++ b/windows/keep-secure/open-windows-firewall-with-advanced-security.md
@@ -0,0 +1,46 @@
+---
+title: Open Windows Firewall with Advanced Security (Windows 10)
+description: Open Windows Firewall with Advanced Security
+ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Open Windows Firewall with Advanced Security
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This procedure shows you how to open the Windows Firewall with Advanced Security console.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
+
+## Opening Windows Firewall with Advanced Security
+
+- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
+
+- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
+
+## To open Windows Firewall with Advanced Security using the UI
+
+Click Start, type **Windows Firewall with Advanced Security**, and the press ENTER.
+
+## To open Windows Firewall with Advanced Security from a command prompt
+
+1. Open a command prompt window.
+
+2. At the command prompt, type:
+
+ ``` syntax
+ wf.msc
+ ```
+
+**Additional considerations**
+
+Although standard users can start the Windows Firewall with Advanced Security MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.
diff --git a/windows/keep-secure/optimize-applocker-performance.md b/windows/keep-secure/optimize-applocker-performance.md
index f8eb1d4d8e..ff8f099f2d 100644
--- a/windows/keep-secure/optimize-applocker-performance.md
+++ b/windows/keep-secure/optimize-applocker-performance.md
@@ -2,22 +2,31 @@
title: Optimize AppLocker performance (Windows 10)
description: This topic for IT professionals describes how to optimize AppLocker policy enforcement.
ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Optimize AppLocker performance
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes how to optimize AppLocker policy enforcement.
+
## Optimization of Group Policy
+
AppLocker policies can be implemented by organization unit (OU) using Group Policy. If so, your Group Policy infrastructure should be optimized and retested for performance when AppLocker policies are added to existing Group Policy Objects (GPOs) or new GPOs are created, as you do with adding any policies to your GPOs.
+
For more info, see the [Optimizing Group Policy Performance](http://go.microsoft.com/fwlink/p/?LinkId=163238) article in TechNet Magazine.
+
### AppLocker rule limitations
-The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash condition.
+
+The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash
+condition.
+
### Using the DLL rule collection
+
When the DLL rule collection is enabled, AppLocker must check each DLL that an application loads. The more DLLs, the longer AppLocker requires to complete the evaluation.
-
-
diff --git a/windows/keep-secure/other-events.md b/windows/keep-secure/other-events.md
new file mode 100644
index 0000000000..6a5cf852d1
--- /dev/null
+++ b/windows/keep-secure/other-events.md
@@ -0,0 +1,31 @@
+---
+title: Other Events (Windows 10)
+description: Describes the Other Events auditing subcategory.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# Other Events
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Events in this section generate automatically and are enabled by default.
+
+**Events List:**
+
+- [1100](event-1100.md)(S): The event logging service has shut down.
+
+- [1102](event-1102.md)(S): The audit log was cleared.
+
+- [1104](event-1104.md)(S): The security log is now full.
+
+- [1105](event-1105.md)(S): Event log automatic backup.
+
+- [1108](event-1108.md)(S): The event logging service encountered an error while processing an incoming event published from %1
+
diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md
index 24e6c6a647..0ca5b7cbd1 100644
--- a/windows/keep-secure/overview-create-edp-policy.md
+++ b/windows/keep-secure/overview-create-edp-policy.md
@@ -2,9 +2,10 @@
title: Create an enterprise data protection (EDP) policy (Windows 10)
description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index 64303436c2..b17006c05a 100644
--- a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -2,26 +2,32 @@
title: Packaged apps and packaged app installer rules in AppLocker (Windows 10)
description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Packaged apps and packaged app installer rules in AppLocker
+
**Applies to**
- Windows 10
+
This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
+
Universal Windows apps can be installed through the Windows Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation.
Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule.
+
AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app:
+
- Publisher name
- Package name
- Package version
+
In summary, including AppLocker rules for Universal Windows apps in your policy design provides:
+
- The ability to control the installation and running of the app
- The ability to control all the components of the app with a single rule rather than controlling individual binaries within the app
- The ability to create application control policies that survive app updates
- Management of Universal Windows apps through Group Policy.
-
-
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
index dfcc826405..9a7c694ae0 100644
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@@ -2,18 +2,22 @@
title: Event ID 300 - Passport successfully created (Windows 10)
description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD).
ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
-ms.pagetype: security
-keywords: ["ngc"]
-ms.prod: W10
+keywords: ngc
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: jdeckerMS
---
+
# Event ID 300 - Passport successfully created
+
**Applies to**
- Windows 10
- Windows 10 Mobile
+
This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
+
## Event details
| | |
|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -21,16 +25,18 @@ This event is created when a Microsoft Passport for Enterprise is successfully c
| **ID:** | 300 |
| **Source:** | Microsoft Azure Device Registration Service |
| **Version:** | 10 |
-| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
+| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.
+Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
## Resolve
+
This is a normal condition. No further action is required.
+
## Related topics
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-
+
+- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+- [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+- [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+- [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
diff --git a/windows/keep-secure/password-must-meet-complexity-requirements.md b/windows/keep-secure/password-must-meet-complexity-requirements.md
index fba24e4fb4..d51142a117 100644
--- a/windows/keep-secure/password-must-meet-complexity-requirements.md
+++ b/windows/keep-secure/password-must-meet-complexity-requirements.md
@@ -2,94 +2,98 @@
title: Password must meet complexity requirements (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.
ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Password must meet complexity requirements
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.
+
## Reference
+
The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet the following requirements:
+
1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive.
+
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped.
The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
+
2. The password contains characters from three of the following categories:
+
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters (special characters) (for example, !, $, \#, %)
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
+
Complexity requirements are enforced when passwords are changed or created.
+
The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified.
+
Enabling the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve.
+
Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those that are typed by holding down the SHIFT key and typing any of the digits from 1 through 10.
+
### Possible values
+
- Enabled
- Disabled
- Not defined
+
### Best practices
+
Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible.
+
The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.)
+
Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements.
+
### Location
+
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
### Default values
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or Group Policy Object (GPO)
-
Default value
-
-
-
-
-
Default domain policy
-
Enabled
-
-
-
Default domain controller policy
-
Enabled
-
-
-
Stand-alone server default settings
-
Disabled
-
-
-
Domain controller effective default settings
-
Enabled
-
-
-
Member server effective default settings
-
Enabled
-
-
-
Effective GPO default settings on client computers
-
Disabled
-
-
-
+
+| Server type or Group Policy Object (GPO) | Default value |
+| - | - |
+| Default domain policy| Enabled|
+| Default domain controller policy| Enabled|
+| Stand-alone server default settings | Disabled|
+| Domain controller effective default settings | Enabled|
+| Member server effective default settings | Enabled|
+| Effective GPO default settings on client computers | Disabled|
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools.
+
### Countermeasure
+
Configure the **Passwords must meet complexity requirements** policy setting to Enabled and advise users to use a variety of characters in their passwords.
+
When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it is difficult (but not impossible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.)
+
### Potential impact
+
If the default password complexity configuration is retained, additional Help Desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to comply with the complexity requirement with minimal difficulty.
+
If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
+
The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
+
## Related topics
-[Password Policy](password-policy.md)
-
-
+
+- [Password Policy](password-policy.md)
diff --git a/windows/keep-secure/password-policy.md b/windows/keep-secure/password-policy.md
index 4d1c366110..4198fac995 100644
--- a/windows/keep-secure/password-policy.md
+++ b/windows/keep-secure/password-policy.md
@@ -2,66 +2,51 @@
title: Password Policy (Windows 10)
description: An overview of password policies for Windows and links to information for each policy setting.
ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Password Policy
+
**Applies to**
- Windows 10
+
An overview of password policies for Windows and links to information for each policy setting.
+
In many operating systems, the most common method to authenticate a user's identity is to use a secret passphrase or password. A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack.
+
Introduced in Windows Server 2008 R2 and Windows Server 2008, Windows supports fine-grained password policies. This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups.
+
To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.
+
Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy (except Kerberos settings) in addition to account lockout settings. When you specify a fine-grained password policy, you must specify all of these settings. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain must be running at least Windows Server 2008 R2 or Windows Server 2008 to use fine-grained password policies. Fine-grained password policies cannot be applied to an organizational unit (OU) directly.
+
You can enforce the use of strong passwords through an appropriate password policy. There are password policy settings that control the complexity and lifetime of passwords, such as the **Passwords must meet complexity requirements** policy setting.
+
You can configure the password policy settings in the following location by using the Group Policy Management Console:
+
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
If individual groups require distinct password policies, these groups should be separated into another domain or forest, based on additional requirements.
+
The following topics provide a discussion of password policy implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible vulnerabilities of each setting), countermeasures that you can take, and the potential impact for each setting.
+
## In this section
-
Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.
-
-
-
[Maximum password age](maximum-password-age.md)
-
Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.
-
-
-
[Minimum password age](minimum-password-age.md)
-
Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.
-
-
-
[Password must meet complexity requirements](password-must-meet-complexity-requirements.md)
-
Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.
-
-
-
[Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md)
-
Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.
-
-
-
+
+| Topic | Description |
+| - | - |
+| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
+| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
+| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
+| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
+| [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) | Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.|
+| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
## Related topics
-[Configure security policy settings](how-to-configure-security-policy-settings.md)
+
+- [Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/keep-secure/perform-volume-maintenance-tasks.md b/windows/keep-secure/perform-volume-maintenance-tasks.md
index 8080674711..dae56942a1 100644
--- a/windows/keep-secure/perform-volume-maintenance-tasks.md
+++ b/windows/keep-secure/perform-volume-maintenance-tasks.md
@@ -2,89 +2,91 @@
title: Perform volume maintenance tasks (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting.
ms.assetid: b6990813-3898-43e2-8221-c9c06d893244
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Perform volume maintenance tasks
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management, and security considerations for the **Perform volume maintenance tasks** security policy setting.
+
## Reference
+
This policy setting determines which users can perform volume or disk management tasks, such as defragmenting an existing volume, creating or removing volumes, and running the Disk Cleanup tool.
+
Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
Constant: SeManageVolumePrivilege
+
### Possible values
+
- User-defined list of accounts
- Not Defined
+
### Best practices
+
- Ensure that only the local Administrators group is assigned the **Perform volume maintenance tasks** user right.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
By default this setting is Administrators on domain controllers and on stand-alone servers.
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Administrators
-
-
-
Stand-Alone Server Default Settings
-
Administrators
-
-
-
DC Effective Default Settings
-
Administrators
-
-
-
Member Server Effective Default Settings
-
Administrators
-
-
-
Client Computer Effective Default Settings
-
Administrators
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the device is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
### Group Policy
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
A user who is assigned the **Perform volume maintenance tasks** user right could delete a volume, which could result in the loss of data or a denial-of- service condition. Also, disk maintenance tasks can be used to modify data on the disk, such as user rights assignments that might lead to escalation of privileges.
+
### Countermeasure
+
Ensure that only the local Administrators group is assigned the **Perform volume maintenance tasks** user right.
+
### Potential impact
+
None. Restricting the **Perform volume maintenance tasks** user right to the local Administrators group is the default configuration.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/plan-for-applocker-policy-management.md b/windows/keep-secure/plan-for-applocker-policy-management.md
index d7b423cdb3..96d65e5c32 100644
--- a/windows/keep-secure/plan-for-applocker-policy-management.md
+++ b/windows/keep-secure/plan-for-applocker-policy-management.md
@@ -2,71 +2,112 @@
title: Plan for AppLocker policy management (Windows 10)
description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Plan for AppLocker policy management
+
**Applies to**
- Windows 10
+
This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
+
## Policy management
+
Before you begin the deployment process, consider how the AppLocker rules will be managed. Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization.
+
### Application and user support policy
+
Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. Considerations include:
+
- What type of end-user support is provided for blocked applications?
- How are new rules added to the policy?
- How are existing rules updated?
- Are events forwarded for review?
+
**Help desk support**
+
If your organization has an established help desk support department in place, consider the following when deploying AppLocker policies:
+
- What documentation does your support department require for new policy deployments?
- What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload?
- Who are the contacts in the support department?
- How will the support department resolve application control issues between the end user and those who maintain the AppLocker rules?
+
**End-user support**
+
Because AppLocker is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include:
+
- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
+
**Using an intranet site**
+
AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you do not display a custom URL for the message when an app is blocked, the default URL is used.
+
The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link.
+
+
For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md).
+
**AppLocker event management**
-Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs:
+
+Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The
+AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs:
+
1. **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx).
2. **MSI and Script**. Contains events for all files affected by the Windows Installer and script rule collections (.msi, .msp, .ps1, .bat, .cmd, .vbs, and .js).
3. **Packaged app-Deployment** or **Packaged app-Execution**, contains events for all Universal Windows apps affected by the packaged app and packed app installer rule collection (.appx).
+
Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](http://go.microsoft.com/fwlink/p/?LinkId=145012).
+
### Policy maintenance
+
As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current.
+
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](http://go.microsoft.com/fwlink/p/?LinkId=145013) (http://go.microsoft.com/fwlink/p/?LinkId=145013).
-**Caution**
-You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+
+>**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
**New version of a supported app**
+
When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied.
+
To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version.
+
For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions.
+
For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app
+
**Recently deployed app**
+
To support a new app, you must add one or more rules to the existing AppLocker policy.
+
**App is no longer supported**
+
If your organization has determined that it will no longer support an application that has AppLocker rules associated with it, the easiest way to prevent users from running the app is to delete these rules.
+
**App is blocked but should be allowed**
+
A file could be blocked for three reasons:
+
- The most common reason is that no rule exists to allow the app to run.
- There may be an existing rule that was created for the file that is too restrictive.
- A deny rule, which cannot be overridden, is explicitly blocking the file.
+
Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](http://go.microsoft.com/fwlink/p/?LinkId=160269) (http://go.microsoft.com/fwlink/p/?LinkId=160269).
+
## Next steps
+
After deciding how your organization will manage your AppLocker policy, record your findings.
+
- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the AppLocker policy, if necessary.
- **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
- **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined.
+
For information and steps how to document your processes, see [Document your application control management processes](document-your-application-control-management-processes.md).
-
-
diff --git a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md
index 8a2a90eb1f..1fa912d181 100644
--- a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md
@@ -2,290 +2,283 @@
title: Planning and deploying advanced security audit policies (Windows 10)
description: This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Planning and deploying advanced security audit policies
+
**Applies to**
- Windows 10
-This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
+
+This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit
+policies.
+
Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them.
+
To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements.
+
Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an organization as vulnerable as not enough monitoring.
+
Here are some features that can help you focus your effort:
+
- **Advanced audit policy settings**. You can apply and manage detailed audit policy settings through Group Policy.
- **"Reason for access" auditing**. You can specify and identify the permissions that were used to generate a particular object access security event.
- **Global object access auditing**. You can define system access control lists (SACLs) for an entire computer file system or registry.
+
To deploy these features and plan an effective security auditing strategy, you need to:
+
- Identify your most critical resources and the most important activities that need to be tracked.
- Identify the audit settings that can be used to track these activities.
- Assess the advantages and potential costs associated with each.
- Test these settings to validate your choices.
- Develop plans for deploying and managing your audit policy.
+
## About this guide
+
This document will guide you through the steps needed to plan a security auditing policy that uses Windows auditing features. This policy must identify and address vital business needs, including:
+
- Network reliability
- Regulatory requirements
- Protection of the organization's data and intellectual property
- Users, including employees, contractors, partners, and customers
- Client computers and applications
- Servers and the applications and services running on those servers
+
The audit policy also must identify processes for managing audit data after it has been logged, including:
+
- Collecting, evaluating, and reviewing audit data
- Storing and (if required) disposing of audit data
+
By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs.
+
## Understanding the security audit policy design process
+
The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document:
+
- [Identifying your Windows security audit policy deployment goals](#bkmk-1)
+
This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing.
+
- [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2)
+
This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings.
+
- [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3)
+
This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios.
+
- [Planning for security audit monitoring and management](#bkmk-4)
+
This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored.
+
- [Deploying the security audit policy](#bkmk-5)
+
This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs.
+
## Identifying your Windows security audit policy deployment goals
+
A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework.
+
Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which assets, resources, and users provide the strongest justification for the focus of a security audit.
+
To create your Windows security audit plan, begin by identifying:
+
- The overall network environment, including the domains, OUs, and security groups.
- The resources on the network, the users of those resources, and how those resources are being used.
- Regulatory requirements.
+
### Network environment
+
An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document.
+
In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats.
-**Important**
-Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.
+
+>**Important:** Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.
For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](http://go.microsoft.com/fwlink/p/?LinkId=163432).
+
### Data and resources
+
For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of these data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you will be able to manage.
+
You can record if these resources have high business impact, medium business impact, or low business impact, the cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different levels of risk to an organization.
+
Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information.
+
The following table provides an example of a resource analysis for an organization.
-
-
-
-
-
-
-
-
-
-
-
Resource class
-
Where stored
-
Organizational unit
-
Business impact
-
Security or regulatory requirements
-
-
-
-
-
Payroll data
-
Corp-Finance-1
-
Accounting: Read/Write on Corp-Finance-1
-
Departmental Payroll Managers: Write only on Corp-Finance-1
-
High
-
Financial integrity and employee privacy
-
-
-
Patient medical records
-
MedRec-2
-
Doctors and Nurses: Read/Write on Med/Rec-2
-
Lab Assistants: Write only on MedRec-2
-
Accounting: Read only on MedRec-2
-
High
-
Strict legal and regulatory standards
-
-
-
Consumer health information
-
Web-Ext-1
-
Public Relations Web Content Creators: Read/Write on Web-Ext-1
-
Public: Read only on Web-Ext-1
-
Low
-
Public education and corporate image
-
-
-
+
+| Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements |
+| - | - | - | - | - |
+| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1 Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
+| Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2 Lab Assistants: Write only on MedRec-2 Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
+| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1 Public: Read only on Web-Ext-1| Low| Public education and corporate image|
### Users
+
Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate.
+
Organizations can create distinctions based on the type of rights and permissions needed by users to perform their jobs. For example, under the classification Administrators, larger organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all users in an organization or as few as a subset of the employees in a given department.
+
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you are complying with these requirements.
+
To effectively audit user activity, begin by listing the different types of users in your organization and the types of data they need access to—in addition to the data they should not have access to.
+
Also, if external users can access any of your organization's data, be sure to identify them, including if they belong to a business partner, customer, or general user, the data they have access to, and the permissions they have to access that data.
+
The following table illustrates an analysis of users on a network. Although our example contains a single column titled "Possible auditing considerations," you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use.
-
-
-
-
-
-
-
-
-
Groups
-
Data
-
Possible auditing considerations
-
-
-
-
-
Account administrators
-
User accounts and security groups
-
Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes.
-
-
-
Members of the Finance OU
-
Financial records
-
Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements.
-
-
-
External partners
-
Project Z
-
Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.
-
-
-
+
+| Groups | Data | Possible auditing considerations |
+| - | - | - |
+| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
+| Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
+| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.|
### Computers
+
Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
+
- If the computers are servers, desktop computers, or portable computers.
- The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager.
- **Note**
- If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](http://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](http://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](http://technet.microsoft.com/library/cc280386.aspx).
+
+ >**Note:** If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](http://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](http://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](http://technet.microsoft.com/library/cc280386.aspx).
- The operating system versions.
- **Note**
- The operating system version determines which auditing options are available and the volume of audit event data.
+
+ >**Note:** The operating system version determines which auditing options are available and the volume of audit event data.
- The business value of the data.
+
For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network.
+
The following table illustrates an analysis of computers in an organization.
-
-
-
-
-
-
-
-
-
Type of computer and applications
-
Operating system version
-
Where located
-
-
-
-
-
Servers hosting Exchange Server
-
Windows Server 2008 R2
-
ExchangeSrv OU
-
-
-
File servers
-
Windows Server 2012
-
Separate resource OUs by department and (in some cases) by location
-
-
-
Portable computers
-
Windows Vista and Windows 7
-
Separate portable computer OUs by department and (in some cases) by location
-
-
-
Web servers
-
Windows Server 2008 R2
-
WebSrv OU
-
-
-
+
+| Type of computer and applications | Operating system version | Where located |
+| - | - | - |
+| Servers hosting Exchange Server| Windows Server 2008 R2| ExchangeSrv OU|
+| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location|
+| Portable computers | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location|
+| Web servers | Windows Server 2008 R2 | WebSrv OU|
### Regulatory requirements
+
Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations.
+
For more info, see the [System Center Process Pack for IT GRC](http://technet.microsoft.com/library/dd206732.aspx).
+
## Mapping the security audit policy to groups of users, computers, and resources in your organization
-By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings:
+
+By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the
+following considerations for using Group Policy to apply security audit policy settings:
+
- The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
- For every policy setting that you select, you need to decide whether it should be enforced across the organization, or whether it should apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers.
- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite inherited policies.
+
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
+
- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a security group that contains only the users you specify.
+
For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
+
- Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy.
- **Important**
- Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
+
+ >**Important:** Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
+
If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
+
The following are examples of how audit policies can be applied to an organization's OU structure:
+
- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more precise audit policy to these servers.
- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs based on the department they work in, consider configuring and applying more detailed security permissions on critical resources that are accessed by employees who work in more sensitive areas, such as network administrators or the legal department.
- Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers.
+
## Mapping your security auditing goals to a security audit policy configuration
+
After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data.
+
To create your audit policy configuration, you need to:
+
1. Explore all of the audit policy settings that can be used to address your needs.
2. Choose the audit settings that will most effectively address the audit requirements identified in the previous section.
3. Confirm that the settings you choose are compatible with the operating systems running on the computers that you want to monitor.
4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit settings.
5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production environment to ensure that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data.
+
### Exploring audit policy options
+
Security audit policy settings in the supported versions of Windows can be viewed and configured in the following locations:
+
- **Security Settings\\Local Policies\\Audit Policy**.
- **Security Settings\\Local Policies\\Security Options**.
- **Security Settings\\Advanced Audit Policy Configuration**. For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
+
### Choosing audit settings to use
+
Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under **Security Settings\\Advanced Audit Policy Configuration** can be used to monitor the following types of activity:
+
- Data and resources
- Users
- Network
-**Important**
-Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network.
+
+>**Important:** Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network.
### Data and resource activity
-For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be protected against any breach, the following settings can provide extremely valuable monitoring and forensic data:
+
+For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be
+protected against any breach, the following settings can provide extremely valuable monitoring and forensic data:
+
- Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share.
- Object Access\\[Audit File System](audit-file-system.md). This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects (such as files and folders) that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and the account that is making the request match the settings in the SACL.
+
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored.
- **Note**
- To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
+
+ >**Note:** To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL.
+
Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes.
+
- **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented.
- **Important**
- The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
+ >**Important:** The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
### User activity
+
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources.
+
In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate activities. The following are a few important settings that you should evaluate to track user activity on your network:
+
- Account Logon\\[Audit Credential Validation](audit-credential-validation.md). This is an extremely important policy setting because it enables you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will eventually be successful. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
- Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md). These policy settings can enable you to monitor the applications that a user opens and closes on a computer.
- DS Access\\[Audit Directory Service Access](audit-directory-service-access.md) and DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md). These policy settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although domain administrators should be among an organization's most trusted employees, the use of **Audit Directory Service Access** and **Audit Directory Service Changes** settings allow you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
- Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md). Another common security scenario occurs when a user attempts to log on with an account that has been locked out. It is important to identify these events and to determine whether the attempt to use an account that has been locked out is malicious.
- Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated.
- **Note**
- There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated.
+
+ >**Note:** There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated.
- Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base.
- Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed.
- Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section.
- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting and its role in providing "reason for access" audit data is described in the previous section.
- Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
- **Important**
- On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked.
+
+ >**Important:** On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked.
- Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
+
### Network activity
+
The following network activity policy settings allow you to monitor security-related issues that are not necessarily covered in the data or user activity categories, but that can be equally important for network status and protection.
+
- **Account Management**. The policy settings in this category can be used to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the user activity and data activity sections.
- Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets.
- **Note**
- **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed.
+
+ >**Note:** **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed.
- Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers.
@@ -295,41 +288,65 @@ The following network activity policy settings allow you to monitor security-rel
- Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md). This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network cannot be detected.
- Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md). This policy setting can be used to monitor a large variety of changes to an organization's IPsec policies.
- Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md). This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
+
### Confirm operating system version compatibility
+
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and manage these settings. For more info, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md).
+
The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization.
+
For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](http://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events.
+
In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing:
+
- Credential Validation
- Kerberos Authentication Service
- Kerberos Service Ticket Operations
- Other Account Logon Events
+
These settings allow you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible.
+
### Success, failure, or both
+
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the answer will be based on the criticality of the event and the implications of the decision on event volume.
+
For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an event only when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. And in this instance, logging successful attempts to access the server would quickly fill the event log with benign events.
+
On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource.
+
## Planning for security audit monitoring and management
+
Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data.
+
- Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the administrator needs to have physical or remote access to the Event Viewer on each client computer or server, and the remote access and firewall settings on each client computer or server need to be configured to enable this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the size of the audit log so that critical information is not deleted if the log reaches its maximum capacity.
- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012, which can be used to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this can make it more difficult to detect clusters of related events that can occur on a single computer.
+
In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what should happen when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and click **Properties**. You can configure the following properties:
+
- **Overwrite events as needed (oldest events first)**. This is the default option, which is an acceptable solution in most situations.
- **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough.
- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached.
-You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include:
+
+You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer
+Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include:
+
- **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes.
+
- **Log Access**. This policy setting determines which user accounts have access to log files and what usage rights are granted.
- **Retain old events**. This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events.
- **Backup log automatically when full**. This policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable or do not configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded and the old events are retained.
+
In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](http://go.microsoft.com/fwlink/p/?LinkId=163435).
+
## Deploying the security audit policy
+
Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured.
The first step in assessing your audit policy deployment is to create a test environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the audit settings you have selected are configured correctly and generate the type of results you intend.
+
However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot provide you with accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve:
+
- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location.
- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**.
- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings.
+
After you have successfully completed one or more limited deployments, you should confirm that the audit data that is collected is manageable with your management tools and administrators. When you have confirmed that the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until the production deployment is complete.
-
-
diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md
new file mode 100644
index 0000000000..69e599b812
--- /dev/null
+++ b/windows/keep-secure/planning-certificate-based-authentication.md
@@ -0,0 +1,54 @@
+---
+title: Planning Certificate-based Authentication (Windows 10)
+description: Planning Certificate-based Authentication
+ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Certificate-based Authentication
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication.
+
+The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each device sends a copy of its certificate to the other device. Each device examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local device.
+
+Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS).
+
+## Deploying certificates
+
+No matter how you acquire your certificates, you must deploy them to clients and servers that require them in order to communicate.
+
+### Using Active Directory Certificate Services
+
+If you use AD CS to create your own user and device certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member devices. Device certificates are deployed when a domain member device starts. User certificates are deployed when a user logs on.
+
+If you want non-domain member devices to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each device or user includes enough identification information to enable IPsec to match the certificate to both user and device accounts.
+
+AD CS automatically ensures that certificates issued by the CAs are trusted by the client devices by putting the CA certificates in the correct store on each domain member device.
+
+### Using a commercially purchased certificate for devices running Windows
+
+You can import the certificates manually onto each device if the number of devices is relatively small. For a deployment to more than a handful of devices, use Group Policy.
+
+You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each device that applies the GPO.
+
+You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each device that applies the GPO.
+
+### Using a commercially purchased certificate for devices running a non-Windows operating system
+
+If you are installing the certificates on an operating system other than Windows, see the documentation for that operating system.
+
+## Configuring IPsec to use the certificates
+
+When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or devices that are members of authorized groups in a server isolation solution.
+
+Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
+
+**Next: **[Documenting the Zones](documenting-the-zones.md)
diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md
new file mode 100644
index 0000000000..208265eefb
--- /dev/null
+++ b/windows/keep-secure/planning-domain-isolation-zones.md
@@ -0,0 +1,30 @@
+---
+title: Planning Domain Isolation Zones (Windows 10)
+description: Planning Domain Isolation Zones
+ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Domain Isolation Zones
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment.
+
+The bulk of the work in planning server and domain isolation is determining which devices to assign to each isolation zone. Correctly choosing the zone for each device is important to providing the correct level of security without compromising performance or the ability for a device to send or receive required network traffic.
+
+The zones described in this guide include the following:
+
+- [Exemption List](exemption-list.md)
+
+- [Isolated Domain](isolated-domain.md)
+
+- [Boundary Zone](boundary-zone.md)
+
+- [Encryption Zone](encryption-zone.md)
diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md
new file mode 100644
index 0000000000..050a5550f7
--- /dev/null
+++ b/windows/keep-secure/planning-gpo-deployment.md
@@ -0,0 +1,116 @@
+---
+title: Planning GPO Deployment (Windows 10)
+description: Planning GPO Deployment
+ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning GPO Deployment
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+You can control which GPOs are applied to devices in Active Directory in a combination of three ways:
+
+- **Active Directory organizational unit hierarchy**. This involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All devices in the OU and its subordinate containers receive and apply the GPO.
+
+ Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to devices based on their location within Active Directory. If a device is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling.
+
+- **Security group filtering**. This involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which devices receive the GPO by using permissions that only allow correct group members to apply the GPO.
+
+ The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those devices whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO.
+
+- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a device is a member of the result set when the WMI filter query runs, the GPO is applied to the device.
+
+ A WMI filter consists of one or more conditions that are evaluated against the local device. You can check almost any characteristic of the device, its operating system, and its installed programs. If all of the specified conditions are true for the device, the GPO is applied; otherwise the GPO is ignored.
+
+This guide uses a combination of security group filtering and WMI filtering to provide the most flexible options. If you follow this guidance, even though there might be five different GPOs linked to a specific group because of operating system version differences, only the correct GPO is applied.
+
+## General considerations
+
+- Deploy your GPOs before you add any device accounts to the groups that receive the GPOs. That way you can add your devices to the groups in a controlled manner. Be sure to add only a few test devices at first. Before adding many group members, examine the results on the test devices and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue.
+
+## Test your deployed groups and GPOs
+
+After you have deployed your GPOs and added some test devices to the groups, confirm the following before you continue with more group members:
+
+- Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt.
+
+- Examine the rules deployed to the device. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
+
+- Verify that communications are authenticated. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
+
+- Verify that communications are encrypted when the devices require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
+
+- Verify that your programs are unaffected. Run them and confirm that they still work as expected.
+
+After you have confirmed that the GPOs have been correctly applied, and that the devices are now communicating by using IPsec network traffic in request mode, you can begin to add more devices to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the devices.
+
+## Do not enable require mode until deployment is complete
+
+If you deploy a GPO that requires authentication to a device before the other devices have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the devices are successfully communicating by using IPsec.
+
+If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, devices can continue to operate, because request mode enables any device to fall back to clear communications.
+
+Only after you have added all of the devices to their zones, and you have confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it is required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they are functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain.
+
+Do not change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections.
+
+If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of devices to the larger groups.
+
+## Example Woodgrove Bank deployment plans
+
+Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of devices. All of the GPOs have the User Configuration section disabled to improve performance.
+
+### GPO\_DOMISO\_Firewall
+
+- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
+
+ `select * from Win32_OperatingSystem where Version like "6.%" and ProductType <> "2"`
+
+ >**Note:** This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices running versions of Windows earlier than Windows Vista and Windows Server 2008.
+
+- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC.
+
+### GPO\_DOMISO\_IsolatedDomain\_Clients
+
+- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
+
+ `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"`
+
+- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
+
+### GPO\_DOMISO\_IsolatedDomain\_Servers
+
+- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
+
+ `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
+
+ >**Note:** This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
+
+- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
+
+### GPO\_DOMISO\_Boundary
+
+- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
+
+ `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
+
+ >**Note:** This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
+
+- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
+
+### GPO\_DOMISO\_Encryption
+
+- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
+
+ `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
+
+ >**Note:** This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
+
+- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to devices that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC.
diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
new file mode 100644
index 0000000000..fff34a12c7
--- /dev/null
+++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -0,0 +1,28 @@
+---
+title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10)
+description: Planning Group Policy Deployment for Your Isolation Zones
+ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Group Policy Deployment for Your Isolation Zones
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan.
+
+You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the device accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct devices within each group.
+
+- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
+
+- [Planning Network Access Groups](planning-network-access-groups.md)
+
+- [Planning the GPOs](planning-the-gpos.md)
+
+- [Planning GPO Deployment](planning-gpo-deployment.md)
diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md
new file mode 100644
index 0000000000..b4f667a50b
--- /dev/null
+++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md
@@ -0,0 +1,39 @@
+---
+title: Planning Isolation Groups for the Zones (Windows 10)
+description: Planning Isolation Groups for the Zones
+ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Isolation Groups for the Zones
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone.
+
+>**Caution:** Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others.
+
+Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead.
+
+The following table lists typical groups that can be used to manage the domain isolation zones discussed in the Woodgrove Bank example in this guide:
+
+| Group name | Description |
+| - | - |
+| CG_DOMISO_No_IPsec | A universal group of device accounts that do not participate in the IPsec environment. Typically consists of infrastructure device accounts that will also be included in exemption lists. This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.|
+| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain. During the early days of testing, this group might contain only a very small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates. Members of this group receive the domain isolation GPO that requires authentication for inbound connections.|
+| CG_DOMISO_Boundary | A universal group of device accounts that contains the members of the boundary zone.
Members of this group receive a GPO that specifies that authentication is requested, but not required.|
+| CG_DOMISO_Encryption | A universal group of device accounts that contains the members of the encryption zone. Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections.
+| CG_SRVISO_*ServerRole* | A universal group of device accounts that contains the members of the server isolation group. Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect. There will be one group for each set of servers that have different user and device restriction requirements. |
+
+Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md).
+
+If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
+
+**Next: **[Planning Network Access Groups](planning-network-access-groups.md)
+
diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md
new file mode 100644
index 0000000000..4d9b002e7c
--- /dev/null
+++ b/windows/keep-secure/planning-network-access-groups.md
@@ -0,0 +1,33 @@
+---
+title: Planning Network Access Groups (Windows 10)
+description: Planning Network Access Groups
+ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Network Access Groups
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required.
+
+Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the devices or users that are granted access. You can optionally split the NAG into two different groups: one for authorized devices and one for authorized users.
+
+The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership.
+
+For the Woodgrove Bank scenario, access to the devices running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service.
+
+| NAG Name | NAG Member Users, Computers, or Groups | Description |
+| - | - | - |
+| CG_NAG_*ServerRole*_Users| Svr1AdminA Svr1AdminB Group_AppUsers AppSvcAccount| This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.|
+| CG_NAG_*ServerRole*_Computers| Desktop1 Desktop2 AdminDT1 AppAdminDT1| This group contains all devices that are authorized to make inbound IPsec connections to the isolated servers in this zone.|
+
+>**Note:** Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5.
+
+**Next: **[Planning the GPOs](planning-the-gpos.md)
diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md
new file mode 100644
index 0000000000..12688b93c9
--- /dev/null
+++ b/windows/keep-secure/planning-server-isolation-zones.md
@@ -0,0 +1,74 @@
+---
+title: Planning Server Isolation Zones (Windows 10)
+description: Planning Server Isolation Zones
+ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Server Isolation Zones
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server.
+
+The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or devices who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved devices.
+
+To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device is not a member of a required NAG then the network connection is refused.
+
+## Isolated domains and isolated servers
+
+If you are using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user.
+
+If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG.
+
+## Creating multiple isolated server zones
+
+Each set of servers that must be accessed by different sets of users should be set up in its own isolated server zone. After one set of GPOs for one isolated server zone has been successfully created and verified, you can copy the GPOs to a new set. You must change the GPO names to reflect the new zone, the name and membership of the isolated server zone group to which the GPOs are applied, and the names and membership of the NAG groups that determine which clients can access the servers in the isolated server zone.
+
+## Creating the GPOs
+
+Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+
+An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members.
+
+### GPO settings for isolated servers running at least Windows Server 2008
+
+GPOs for devices running at least Windows Server 2008 should include the following:
+
+>**Note:** The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone.
+
+- IPsec default settings that specify the following options:
+
+ 1. Exempt all ICMP traffic from IPsec.
+
+ 2. Key exchange (main mode) security methods and algorithm. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs.
+
+ 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else devices that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method.
+
+- The following connection security and firewall rules:
+
+ - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
+
+ - A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication.
+
+ >**Important:** Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out.
+
+ - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both device and user network access groups.
+
+- A registry policy that includes the following values:
+
+ - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
+
+ >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
+
+**Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
new file mode 100644
index 0000000000..4fcbd977dc
--- /dev/null
+++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
@@ -0,0 +1,50 @@
+---
+title: Planning Settings for a Basic Firewall Policy (Windows 10)
+description: Planning Settings for a Basic Firewall Policy
+ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Settings for a Basic Firewall Policy
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
+
+The following is a list of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis:
+
+- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization.
+
+ >**Important:** We recommend that on server devices that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop devices, and only support different profiles on portable devices.
+
+- **Firewall state: On**. We recommend that you prevent the user from turning it off.
+
+- **Default behavior for Inbound connections: Block**. We recommend that you enforce the default behavior of blocking unsolicited inbound connections. To allow network traffic for a specific program, create an inbound rule that serves as an exception to this default behavior.
+
+- **Default behavior for Outbound connections: Allow**. We recommend that you enforce the default behavior of allowing outbound connections.
+
+- **Allow unicast response: Yes**. We recommend that you use the default setting of **Yes** unless you have specific requirements to do otherwise.
+
+- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows does not create a new firewall rule and the traffic remains blocked.
+
+ If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs then you can set this value to **No**.
+
+- **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot.
+
+- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions.
+
+- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port.
+
+ Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required.
+
+ >**Important:** If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application.
+
+- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
+
+**Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md
new file mode 100644
index 0000000000..b22f0497cd
--- /dev/null
+++ b/windows/keep-secure/planning-the-gpos.md
@@ -0,0 +1,55 @@
+---
+title: Planning the GPOs (Windows 10)
+description: Planning the GPOs
+ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning the GPOs
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones.
+
+## General considerations
+
+A few things to consider as you plan the GPOs:
+
+- Do not allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior.
+
+ The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones.
+
+- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The devices will negotiate down from the top of their lists, selecting one that is configured on both devices.
+
+- The primary difference in your domain isolation GPOs is whether the rules request or require authentication.
+
+ >**Caution:** It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone.
+
+- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
+
+ >**Note:** Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
+
+After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs.
+
+## Woodgrove Bank example GPOs
+
+
+The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section.
+
+In this section you can find information about the following:
+
+- [Firewall GPOs](firewall-gpos.md)
+
+- [Isolated Domain GPOs](isolated-domain-gpos.md)
+
+- [Boundary Zone GPOs](boundary-zone-gpos.md)
+
+- [Encryption Zone GPOs](encryption-zone-gpos.md)
+
+- [Server Isolation GPOs](server-isolation-gpos.md)
diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
new file mode 100644
index 0000000000..1801d2a86a
--- /dev/null
+++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -0,0 +1,48 @@
+---
+title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10)
+description: Planning to Deploy Windows Firewall with Advanced Security
+ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning to Deploy Windows Firewall with Advanced Security
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization.
+
+## Reviewing your Windows Firewall with Advanced Security Design
+
+If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
+
+- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide:
+
+ - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
+
+ - [Planning the GPOs](planning-the-gpos.md)
+
+ - [Planning GPO Deployment](planning-gpo-deployment.md)
+
+- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
+
+- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
+
+- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated.
+
+- The requirement that all devices that must communicate with each other share a common set of:
+
+ - Authentication methods
+
+ - Main mode key exchange algorithms
+
+ - Quick mode data integrity algorithms
+
+ If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
+
+After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
new file mode 100644
index 0000000000..c800eca94d
--- /dev/null
+++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
@@ -0,0 +1,91 @@
+---
+title: Planning Your Windows Firewall with Advanced Security Design (Windows 10)
+description: Planning Your Windows Firewall with Advanced Security Design
+ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Your Windows Firewall with Advanced Security Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
+
+## Basic firewall design
+
+We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization.
+
+When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section.
+
+## Algorithm and method support and selection
+
+To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths.
+
+## IPsec performance considerations
+
+Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms.
+
+IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps.
+
+## Domain isolation design
+
+
+Include this design in your plans:
+
+- If you have an Active Directory domain of which most of the devices are members.
+
+- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that are not part of the domain.
+
+If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting.
+
+When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
+
+## Server isolation design
+
+
+Include this design in your plans:
+
+- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and devices.
+
+- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices.
+
+If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements.
+
+When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section.
+
+## Certificate-based authentication design
+
+
+Include this design in your plans:
+
+- If you want to implement some of the elements of domain or server isolation on devices that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism.
+
+- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the device is not running Windows, or for any other reason.
+
+- You must enable external devices that are not managed by your organization to access information on one of your servers, and want to do this in a secure way.
+
+If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the devices that require it.
+
+When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section.
+
+## Documenting your design
+
+
+After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team.
+
+- [Documenting the Zones](documenting-the-zones.md)
+
+## Designing groups and GPOs
+
+
+After you have selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your devices.
+
+When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+
+**Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
index b5dae385ac..4eaf0224ec 100644
--- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection portal overview
description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: DulceMV
---
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index 74cebb3914..d377aafd3e 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -3,7 +3,7 @@ title: Prepare people to use Microsoft Passport (Windows 10)
description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization.
ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
keywords: identity, PIN, biometric, Hello
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 56db3e6526..c30af5a4c1 100644
--- a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -2,17 +2,22 @@
title: Prepare your organization for BitLocker Planning and policies (Windows 10)
description: This topic for the IT professional explains how can you plan your BitLocker deployment.
ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Prepare your organization for BitLocker: Planning and policies
+
**Applies to**
- Windows 10
+
This topic for the IT professional explains how can you plan your BitLocker deployment.
+
When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems.
+
- [Audit your environment](#bkmk-audit)
- [Encryption keys and authentication](#bkk-encrypt)
- [TPM hardware configurations](#bkmk-tpmconfigurations)
@@ -23,244 +28,203 @@ When you design your BitLocker deployment strategy, define the appropriate polic
- [Active Directory Domain Services considerations](#bkmk-addscons)
- [FIPS support for recovery password protector](#bkmk-fipssupport)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
+
## Audit your environment
+
To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker.
+
Use the following questions to help you document your organization's current disk encryption security policies:
+
1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker?
2. What policies exist to control recovery password and recovery key storage?
3. What are the policies for validating the identity of users that need to perform BitLocker recovery?
4. What policies exist to control who in the organization has access to recovery data?
5. What policies exist to control computer decommissioning or retirement?
+
## Encryption keys and authentication
+
BitLocker helps prevent unauthorized access to data on lost or stolen computers by:
+
- Encrypting the entire Windows operating system volume on the hard disk.
- Verifying the boot process integrity.
+
The trusted platform module (TPM)is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
+
In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
+
On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
+
**BitLocker key protectors**
-
-
-
-
-
-
-
-
Key protector
-
Description
-
-
-
-
-
TPM
-
A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.
-
-
-
PIN
-
A user-entered numeric key protector that can only be used in addition to the TPM.
-
-
-
Enhanced PIN
-
A user-entered alphanumeric key protector that can only be used in addition to the TPM.
-
-
-
Startup key
-
An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.
-
-
-
Recovery password
-
A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.
-
-
-
Recovery key
-
An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.
-
-
-
+
+| Key protector | Description |
+| - | - |
+| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.|
+| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|
+| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
+| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.|
+| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.|
+| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
**BitLocker authentication methods**
-
-
-
-
-
-
-
-
-
Authentication method
-
Requires user interaction
-
Description
-
-
-
-
-
TPM only
-
No
-
TPM validates early boot components.
-
-
-
TPM + PIN
-
Yes
-
TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.
-
-
-
TPM + Network key
-
No
-
The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication.
-
-
-
TPM + startup key
-
Yes
-
The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.
-
-
-
Startup key only
-
Yes
-
The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.
-
-
-
+
+| Authentication method | Requires user interaction | Description |
+| - | - | - |
+| TPM only| No| TPM validates early boot components.|
+| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
+| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
+| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
+| Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.|
**Will you support computers without TPM version 1.2 or higher?**
+
Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication.
+
**What areas of your organization need a baseline level of data protection?**
+
The TPM-only authentication method will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.
+
However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection.
+
**What areas of your organization need a more secure level of data protection?**
+
If there are areas of your organization where data residing on user computers is considered highly-sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
+
**What multifactor authentication method does your organization prefer?**
+
The protection differences provided by multifactor authentication methods cannot be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and automated systems management processes.
+
## TPM hardware configurations
+
In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
+
### TPM states of existence
+
For each of the TPM states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
-
-
-
-
-
-
-
-
State
-
Description
-
-
-
-
-
Enabled
-
Most features of the TPM are available.
-
The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.
-
-
-
Disabled
-
The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.
-
The TPM may be enabled and disabled multiple times within a boot period.
-
-
-
Activated
-
Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.
-
-
-
Deactivated
-
Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.
-
-
-
Owned
-
Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.
-
-
-
Un-owned
-
The TPM does not have a storage root key and may or may not have an endorsement key.
-
-
-
+
+| State | Description |
+| - | - |
+| Enabled| Most features of the TPM are available. The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.|
+| Disabled | The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization. The TPM may be enabled and disabled multiple times within a boot period.|
+| Activated| Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.|
+| Deactivated| Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.|
+| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.|
+| Un-owned| The TPM does not have a storage root key and may or may not have an endorsement key.|
-**Important**
-BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available.
+>**Important:** BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available.
The state of the TPM exists independent of the computer’s operating system. Once the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
+
### Endorsement keys
+
For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup.
+
An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken.
+
For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications ().
+
## Non-TPM hardware configurations
+
Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key.
+
Use the following questions to identify issues that might affect your deployment in a non-TPM configuration:
+
- Are password complexity rules in place?
- Do you have budget for USB flash drives for each of these computers?
- Do your existing non-TPM devices support USB devices at boot time?
+
Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material.
+
## Disk configuration considerations
+
To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements:
+
- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size
+
Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption.
+
Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE in conjunction with BitLocker, the Windows RE boot image must reside on a volume that is not protected by BitLocker.
+
Windows RE can also be used from boot media other than the local hard disk. If you choose not to install Windows RE on the local hard disk of BitLocker-enabled computers, you can use alternate boot methods, such as Windows Deployment Services, CD-ROM, or USB flash drive, for recovery.
+
## BitLocker provisioning
+
In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM.
+
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, manage-bde tool or WMI APIs to add an appropriate key protector and the volume status will be updated.
+
When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented prior to changing the volume status.
+
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes.
+
## Used Disk Space Only encryption
+
The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption.
+
Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you are asked to choose the drive encryption type, either Used Disk Space Only or Full drive encryption.
+
Used Disk Space Only means that only the portion of the drive that contains data will be encrypted, unused space will remain unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method as data is added to the drive the portion of the drive used will be encrypted, so there is never unencrypted data stored on the drive.
+
Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use.
+
## Active Directory Domain Services considerations
+
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. Before configuring these settings verify that access permissions have been granted to perform the backup.
+
By default, domain administrators are the only users that will have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment.
+
It is a best practice to require backup of recovery information for both the TPM and BitLocker to AD DS. You can implement this practice by configuring the Group Policy settings below for your BitLocker-protected computers.
-
-
-
-
-
-
-
-
BitLocker Group Policy setting
-
Configuration
-
-
-
-
-
BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services
-
Require BitLocker backup to AD DS (Passwords and key packages)
-
-
-
Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services
-
Require TPM backup to AD DS
-
-
-
+
+| BitLocker Group Policy setting | Configuration |
+| - | - |
+| BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services| Require BitLocker backup to AD DS (Passwords and key packages)|
+| Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services | Require TPM backup to AD DS|
The following recovery data will be saved for each computer object:
+
- **Recovery password**
+
A 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode.
+
- **Key package data**
+
With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID.
+
- **TPM owner authorization password hash**
+
When ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.
+
Starting in Windows 8, a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 and later schemas.
+
To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects.
-**Note**
-The account that you use to update the Active Directory schema must be a member of the Schema Admins group.
+
+>**Note:** The account that you use to update the Active Directory schema must be a member of the Schema Admins group.
Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change.
+
**To support Windows 8 and later computers that are managed by a Windows Server 2003 or Windows 2008 domain controller**
+
There are two schema extensions that you can copy down and add to your AD DS schema:
+
- **TpmSchemaExtension.ldf**
+
This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update to the schema was created.
+
- **TpmSchemaExtensionACLChanges.ldf**
+
This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing to track changes for these objects.
+
To download the schema extensions, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated.
-**Caution**
-To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2.
+
+>**Caution:** To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2.
If Active Directory backup of the TPM owner authorization value is enabled in an environment without the required schema extensions, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8 and later.
**Setting the correct permissions in AD DS**
+
To initialize the TPM successfully so that you can turn on BitLocker requires that the correct permissions for the SELF account in be set in AD DS for the **ms-TPMOwnerInformation** attribute. The following steps detail setting these permissions as required by BitLocker:
+
1. Open **Active Directory Users and Computers**.
2. Select the organizational unit (OU) which contains the computer accounts that will have BitLocker turned on.
3. Right-click the OU and click **Delegate Control** to open the **Delegation of Control** wizard.
@@ -270,26 +234,32 @@ To initialize the TPM successfully so that you can turn on BitLocker requires th
7. On the **Active Directory Object Type** page, choose **Only the following objects in the folder** and then check **Computer Objects** and then click **Next**.
8. On the **Permissions** page, for **Show these permissions**, check **General**, **Property-specific**, and **Creation/deletion of specific child objects**. Scroll down the **Permissions** list and check both **Write msTPM-OwnerInformation** and **Write msTPM-TpmInformationForComputer** then click **Next**.
9. Click **Finish** to apply the permissions settings.
+
## FIPS support for recovery password protector
+
Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode.
-**Note**
-The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
+
+>**Note:** The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](http://support.microsoft.com/kb/947249).
+
But on computers running these supported systems with BitLocker enabled:
+
- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm.
- Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords.
- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.
- FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
+
The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not.
+
However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; so recovery keys should be used instead.
+
## More information
-[Trusted Platform Module](trusted-platform-module-overview.md)
-[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
-[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
-[BitLocker](bitlocker-overview.md)
-[BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
-[BitLocker basic deployment](bitlocker-basic-deployment.md)
-
-
+
+- [Trusted Platform Module](trusted-platform-module-overview.md)
+- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
+- [BitLocker](bitlocker-overview.md)
+- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
+- [BitLocker basic deployment](bitlocker-basic-deployment.md)
diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md
new file mode 100644
index 0000000000..d19699b94b
--- /dev/null
+++ b/windows/keep-secure/procedures-used-in-this-guide.md
@@ -0,0 +1,92 @@
+---
+title: Procedures Used in This Guide (Windows 10)
+description: Procedures Used in This Guide
+ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Procedures Used in This Guide
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
+
+- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
+
+- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
+
+- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
+
+- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
+
+- [Configure Authentication Methods](configure-authentication-methods.md)
+
+- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
+
+- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+
+- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
+
+- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
+
+- [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
+
+- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
+
+- [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+
+- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
+
+- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
+
+- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
+
+- [Create a Group Policy Object](create-a-group-policy-object.md)
+
+- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
+
+- [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
+
+- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
+
+- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
+
+- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
+
+- [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
+
+- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
+
+- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
+
+- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
+
+- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
+
+- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
+
+- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
+
+- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
+
+- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+
+- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
+
+- [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
+
+- [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+
+- [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
+
+- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
+
+- [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
+
+- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/keep-secure/profile-single-process.md b/windows/keep-secure/profile-single-process.md
index bcdfcfa6c0..0dce3bdffe 100644
--- a/windows/keep-secure/profile-single-process.md
+++ b/windows/keep-secure/profile-single-process.md
@@ -2,89 +2,90 @@
title: Profile single process (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting.
ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Profile single process
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management, and security considerations for the **Profile single process** security policy setting.
+
## Reference
+
This policy setting determines which users can view a sample performance of an application process. Typically, you do not need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the system’s monitor components are configured to collect data through Windows Management Instrumentation (WMI).
+
Constant: SeProfileSingleProcessPrivilege
+
### Possible values
+
- User-defined list of accounts
- Administrators
- Not Defined
+
### Best practices
+
- This right should not be granted to individual users. It should be granted only for trusted applications that monitor other programs.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
By default this setting is Administrators on domain controllers and on stand-alone servers.
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Administrators
-
-
-
Stand-Alone Server Default Settings
-
Administrators
-
-
-
Domain Controller Effective Default Settings
-
Administrators
-
-
-
Member Server Effective Default Settings
-
Administrators
-
-
-
Client Computer Effective Default Settings
-
Administrators
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the device is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
### Group Policy
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
The **Profile single process** user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as anti-virus software or an intrusion-detection system. They could also identify other users who are logged on to a computer.
+
### Countermeasure
+
Ensure that only the local Administrators group is assigned the **Profile single process** user right.
+
### Potential impact
+
If you remove the **Profile single process** user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/profile-system-performance.md b/windows/keep-secure/profile-system-performance.md
index c35951cd49..d7b5f3b8fc 100644
--- a/windows/keep-secure/profile-system-performance.md
+++ b/windows/keep-secure/profile-system-performance.md
@@ -2,90 +2,92 @@
title: Profile system performance (Windows 10)
description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the Profile system performance security policy setting.
ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Profile system performance
+
**Applies to**
- Windows 10
+
This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the **Profile system performance** security policy setting.
+
## Reference
+
This security setting determines which users can use Windows performance monitoring tools to monitor the performance of system processes.
+
Constant: SeSystemProfilePrivilege
+
### Possible values
+
- User-defined list of accounts
- Administrators
- Not defined
+
### Best practices
+
- Ensure that only the local Administrators group is assigned the **Profile system performance** user right.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
By default this setting is Administrators on domain controllers and on stand-alone servers.
+
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Administrators
-
-
-
Stand-Alone Server Default Settings
-
Administrators
-
-
-
Domain Controller Effective Default Settings
-
Administrators
-
-
-
Member Server Effective Default Settings
-
Administrators
-
-
-
Client Computer Effective Default Settings
-
Administrators
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the device is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
Depending on your version of Windows and your environment, you might need to add this user right to the Local System account or the Local Service account if you encounter access errors when you use the Administrators account.
+
### Group Policy
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
The **Profile system performance** user right poses a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers might also be able to determine what processes are active on the computer so that they could identify countermeasures to avoid, such as anti-virus software or an intrusion detection system.
+
### Countermeasure
+
Ensure that only the local Administrators group is assigned the **Profile system performance** user right.
+
### Potential impact
+
None. Restricting the **Profile system performance** user right to the local Administrators group is the default configuration.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md
index 1b1c4370f3..197d906dd6 100644
--- a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md
+++ b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md
@@ -2,7 +2,7 @@
title: Protect BitLocker from pre-boot attacks (Windows 10)
description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.
ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
new file mode 100644
index 0000000000..a24379dacf
--- /dev/null
+++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
@@ -0,0 +1,42 @@
+---
+title: Protect Devices from Unwanted Network Traffic (Windows 10)
+description: Protect Devices from Unwanted Network Traffic
+ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Protect Devices from Unwanted Network Traffic
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
+
+Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](http://www.microsoft.com/security/sir/default.aspx).
+
+Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network.
+
+A host-based firewall helps secure a device by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits:
+
+- Network traffic that is a reply to a request from the local device is permitted into the device from the network.
+
+- Network traffic that is unsolicited, but that matches a rule for allowed network traffic, is permitted into the device from the network.
+
+ For example, Woodgrove Bank wants a device that is running SQL Server to be able to receive the SQL queries sent to it by client devices. The firewall policy deployed to the device that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program.
+
+- Outbound network traffic that is not specifically blocked is allowed on the network.
+
+ For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted.
+
+The following component is recommended for this deployment goal:
+
+- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain.
+
+Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
+
+**Next: **[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
index d647af4367..e3da331f91 100644
--- a/windows/keep-secure/protect-enterprise-data-using-edp.md
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -2,10 +2,11 @@
title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-keywords: ["EDP", "Enterprise Data Protection"]
-ms.prod: W10
+keywords: EDP, Enterprise Data Protection
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index bc3658f201..61313be105 100644
--- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -2,232 +2,331 @@
title: Control the health of Windows 10-based devices (Windows 10)
description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873
-ms.pagetype: security; devices
-keywords: ["security", "BYOD", "malware", "device health attestation", "mobile"]
-ms.prod: W10
+keywords: security, BYOD, malware, device health attestation, mobile
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: security, devices
author: arnaudjumelet
+
---
+
# Control the health of Windows 10-based devices
+
**Applies to**
+
- Windows 10
+
This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
+
## Introduction
+
In Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization’s applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT.
+
Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they will not tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users will manipulate corporate credentials and corporate data on unmanaged devices.
+
With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing corporate services, internal resources, and cloud apps.
+
Even managed devices can be compromised and become harmful. Organizations need to detect when security has been breached and react as early as possible in order to protect high-value assets.
+
As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities.
+
Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy.
+
## Description of a robust end-to-end security solution
+
Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in all industries.
+
During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary.
+
With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it’s an easy way to breach the security network perimeter, gain access to, and then steal high-value assets.
+
The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device will bring malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy is not sufficient against these threats.
+
### A different approach
+
Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that determined adversaries will successfully breach any defenses. It means that it’s necessary to shift focus away from preventative security controls to detection of, and response to, security issues. The implementation of the risk management strategy, therefore, balances investment in prevention, detection, and response.
+
Because mobile devices are increasingly being used to access corporate information, some way to evaluate device security or health is required. This section describes how to provision device health assessment in such a way that high-value assets can be protected from unhealthy devices.
+
Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset.
+
+
A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
+
The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
+
+
Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
+
Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems.
+
A device health attestation module can communicate measured boot data that is protected by a Trusted Platform Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication channel.
+
Remote health attestation service performs a series of checks on the measurements. It validates security related data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health encrypted blob back to the device.
+
An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the security baseline and knows the level of compliance of the device with regular checks to see what software is installed and what configuration is enforced, as well as determining the health status of the device.
+
An MDM solution asks the device to send device health information and forward the health encrypted blob to the remote health attestation service. The remote health attestation service verifies device health data, checks that MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
+
An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the identity provider so the organization’s access control policy can be invoked to grant access.
+
Access to content is then authorized to the appropriate level of trust for whatever the health status and other conditional elements indicate.
+
Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional security authentication may need to be established by querying the user to answer a phone call before access is granted.
+
### Microsoft’s security investments in Windows 10
+
In Windows 10, there are three pillars of investments:
+
- **Secure identities.** Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system as well as for services like on-premises resources and cloud resources.
- **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
- **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
+
### Protect, control, and report on the security status of Windows 10-based devices
+
This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware.
+
-
-
-
-
-
-
-
-
-
Number
-
Part of the solution
-
Description
-
-
-
-
-
1
-
Windows 10-based device
-
The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
-
A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.
-
-
-
2
-
Identity provider
-
Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.
-
Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.
-
-
-
3
-
Mobile device management
-
Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.
-
MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.
-
-
-
4
-
Remote health attestation
-
The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.
-
Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).
-
-
-
5
-
Enterprise managed asset
-
Enterprise managed asset is the resource to protect.
-
For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.
-
-
-
+
+| Number | Part of the solution | Description |
+| - | - | - |
+| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM. A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
+| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status. Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
+| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent. MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
+| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device. Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
+| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect. For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|
The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets.
+
## Protect devices and enterprise credentials against threats
+
This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to.
+
### Windows 10 hardware-based security defenses
+
The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
+
+
Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
+
- **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
+
Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
+
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
+
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Microsoft Passport, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=733948).
+
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation.
+
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
+
- Update crypto strength to meet modern security needs
+
- Support for SHA-256 for PCRs
- Support for HMAC command
+
- Cryptographic algorithms flexibility to support government needs
+
- TPM 1.2 is severely restricted in terms of what algorithms it can support
- TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+
- Consistency across implementations
+
- The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
- TPM 2.0 standardizes much of this behavior
+
- **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot does not require a TPM.
+
The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
+
Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE).
Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded.
- **Note**
- Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
+
+ >**Note:** Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
+
Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot.
+
The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
+
The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted.
+
- **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+
Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
+
ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
- **Note**
- Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot.
+
+ >**Note:** Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot.
The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
+
The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1).
- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10.
+
Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, refer to the [Virtualization-based security](#virtual) section.
+
- **Hyper-V Code Integrity (HVCI).** Hyper-V Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
+
When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services, including Hyper-V Code Integrity (HVCI). HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
+
HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified.
- **Note**
- Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.
+
+ >**Note:** Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.
The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy.
Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy.
+
- **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
+
In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
+
This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. That means that even if the Windows kernel is compromised an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
+
- **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health.
+
Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset.
+
For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](http://go.microsoft.com/fwlink/p/?LinkId=733950).
+
During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
+
Health attestation requires the presence of TPM 2.0. On Windows 10, TPM 2.0 also requires UEFI firmware.
+
Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets.
+
### Virtualization-based security
+
Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
+
Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
+
The following Windows 10 services are protected with virtualization-based security:
+
- **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
- **Other isolated services**: for example, on Windows Server Technical Preview 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
-**Note**
-Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
+
+>**Note:** Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
+
The schema below is a high-level view of Windows 10 with virtualization-based security.
+
+
### Credential Guard
-In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on remote machines, which mitigates many PtH-style attacks.
+
+In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on
+remote machines, which mitigates many PtH-style attacks.
+
Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
+
- **The per-boot key** is used for any in-memory credentials that do not require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
- **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
-Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins.
+Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that
+credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins.
+
### Device Guard
+
Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization.
+
The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows.
+
Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.
-**Note**
-Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](http://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.
+
+>**Note:** Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](http://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.
With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts.
+
Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny:
+
- **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
- **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
+
At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
+
Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible.
+
There are three different parts that make up the Device Guard solution in Windows 10:
+
- The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
- After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
- The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
+
For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](device-guard-deployment-guide.md).
+
### Device Guard scenarios
+
As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be used broadly and it may not always be applicable, but there are some high-interest scenarios.
-Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-defined software that are expected to run and don’t change too frequently. It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going to change on a daily basis.
+
+Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-defined software that are expected to run and don’t change too frequently.
+It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going to change on a daily basis.
+
SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth approach to security.
+
To protect high-value assets, SAWs are used to make secure connections to those assets.
+
Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
+
It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
+
Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device.
-**Note**
-Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.
+
+>**Note:** Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.
Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard.
-When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the UpdateSigner section.
+
+When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the
+Device Guard policy into the UpdateSigner section.
+
### The importance of signing applications
+
On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
-With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed.
+
+With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal
+Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed.
+
In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed.
+
Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications.
+
### Why are antimalware and device management solutions still necessary?
+
Although allow-list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities.
+
Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user’s knowledge.
+
It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them.
+
To combat these threats, patching is the single most effective control, with antimalware software forming complementary layers of defense.
+
Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
+
MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices.
+
### Device health attestation
+
Device health attestation leverages the TPM 2.0 to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
+
For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
+
For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
+
### Hardware requirements
+
The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](http://go.microsoft.com/fwlink/p/?LinkId=733951).
+
@@ -274,33 +373,57 @@ The following table details the hardware requirements for both virtualization-ba
This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
+
## Detect an unhealthy Windows 10-based device
+
As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
+
The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
+
As previously discussed, the health attestation feature of Windows 10 uses the TPM 2.0 hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
+
By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data.
+
### What is the concept of device health?
+
To understand the concept of device health, it’s important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution.
+
However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization’s resources.
+
The definition of device compliance will vary based on an organization’s installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy.
+
The health of the device is not binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by leveraging trustworthy hardware TPM.
+
But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision.
+
### Remote device health attestation
+
In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft.
+
This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device.
+
A relying party like an MDM can inspect the report generated by the remote health attestation service.
-**Note**
-To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10.
+
+>**Note:** To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10.
Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
+
Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system.
+
In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence.
+
The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component.
+
Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process.
+
+
When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
+
+
The health attestation process works as follows:
+
1. Hardware boot components are measured.
2. Operating system boot components are measured.
3. If Device Guard is enabled, current Device Guard policy is measured.
@@ -309,90 +432,138 @@ The health attestation process works as follows:
6. Boot start drivers are measured.
7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP.
8. Boot measurements are validated by the Health Attestation Service
-**Note**
-By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
+
+>**Note:** By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
The number of retained logs may be set with the registry **REG\_DWORD** value **PlatformLogRetention** under the **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM** key. A value of **0** will turn off log archival and a value of **0xffffffff** will keep all logs.
The following process describes how health boot measurements are sent to the health attestation service:
+
1. The client (a Windows 10-based device with a TPM 2.0) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
3. The remote device heath attestation service then:
+
1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
3. Parses the properties in the TCG log.
4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+
4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+
+
### Device health attestation components
+
The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
+
### Trusted Platform Module
+
*It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
+
In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
+
A TPM incorporates in a single component:
+
- A RSA 2048-bit key generator
- A random number generator
- Nonvolatile memory for storing EK, SRK, and AIK keys
- A cryptographic engine to encrypt, decrypt, and sign
- Volatile memory for storing the PCRs and RSA keys
+
### Endorsement key
+
The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
+
The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
+
The endorsement key acts as an identity card for the TPM. For more information, see [Understand the TPM endorsement key](http://go.microsoft.com/fwlink/p/?LinkId=733952).
+
The endorsement key is often accompanied by one or two digital certificates:
+
- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it’s a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
-**Note**
-Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
+
+>**Note:** Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
+
- For Intel firmware TPM: **https://ekop.intel.com/ekcertservice**
- For Qualcomm firmware TPM: **https://ekcert.spserv.microsoft.com/**
### Attestation Identity Keys
+
Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
-**Note**
-Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+
+>**Note:** Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
-Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
+
+Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft
+Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
+
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Microsoft Passport without TPM.
+
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
+
### Storage root key
+
The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
+
### Platform Configuration Registers
+
The TPM contains a set of registers that are designed to provide a cryptographic representation of the software and state of the system that booted. These registers are called Platform Configuration Registers (PCRs).
+
The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it by expanding the register PCR\[0\] and transfers execution to the firmware.
+
PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured.
+
The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log.
+
### TPM provisioning
+
For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry.
+
When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement**
+
During the provisioning process, the device may need to be restarted.
+
Note that the **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM.
-If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub**
+
+If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location:
+**HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub**
+
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
-**Note**
-For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net**
+
+>**Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net**
### Windows 10 Health Attestation CSP
+
Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on.
+
The following is a list of functions performed by the Windows 10 Health Attestation CSP:
+
- Collects data that is used to verify a device’s health status
- Forwards the data to the Health Attestation Service
- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+
During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
+
When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device did not reboot between the time that it attested its health and the time that the MDM server validated it.
+
### Windows Health Attestation Service
+
The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers.
-**Note**
-Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).
+
+>**Note:** Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).
Checking that a TPM attestation and the associated log are valid takes several steps:
+
1. First, the server must check that the reports are signed by **trustworthy AIKs**. This might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is a **valid signature over PCR values**.
3. Next the logs should be checked to ensure that they match the PCR values reported.
4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+
The Health Attestation Service provides the following information to an MDM solution about the health of the device:
+
- Secure Boot enablement
- Boot and kernel debug enablement
- BitLocker enablement
@@ -401,8 +572,11 @@ The Health Attestation Service provides the following information to an MDM solu
- ELAM loaded
- Safe Mode boot, DEP enablement, test signing enablement
- Device TPM has been provisioned with a trusted endorsement certificate
+
For completeness of the measurements, see [Health Attestation CSP](http://go.microsoft.com/fwlink/p/?LinkId=733949).
+
The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device.
+
@@ -446,90 +620,139 @@ The following table presents some key items that can be reported back to MDM dep
### Leverage MDM and the Health Attestation Service
+
To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization’s device health requirements.
+
A solution that leverages MDM and the Health Attestation Service consists of three main parts:
+
1. A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested.
+
+
Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
+
1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
2. The MDM server specifies a nonce along with the request.
3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
4. The MDM server:
+
1. Verifies that the nonce is as expected.
2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+
5. The Health Attestation Service:
+
1. Decrypts the health blob.
2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
5. Sends data back to the MDM server including health parameters, freshness, and so on.
-**Note**
-The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
+
+>**Note:** The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
-Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. That is the purpose of conditional access control, which is detailed in the next section.
+
+Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets.
+That is the purpose of conditional access control, which is detailed in the next section.
+
## Control the security of a Windows 10-based device before access is granted
+
Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware?
+
The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune.
-**Note**
-For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](http://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733956).
+
+>**Note:** For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](http://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733956).
The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service.
+
-An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant.
+
+An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the
+firewall is running, and the devices patch state is compliant.
+
Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This feature is much needed for BYOD devices that need to access organizational resources.
+
### Built-in support of MDM in Windows 10
+
Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent.
+
### Third-party MDM server support
+
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](http://go.microsoft.com/fwlink/p/?LinkId=733954).
-**Note**
-MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=733955).
+
+>**Note:** MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=733955).
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
+
### Management of Windows Defender by third-party MDM
+
This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
+
For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkId=733953).
+
### Conditional access control
+
On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365 compatible workload.
+
If the device is not registered, the user will get a message with instructions on how to register (also known as enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web portal where they can get more information on the compliance problem and how to resolve it.
+
**Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
+
+
### Office 365 conditional access control
-Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional target groups.
+
+Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional
+target groups.
+
When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
+
When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune.
-**Note**
-Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](http://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.
+
+>**Note** Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](http://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.
When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
+
The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy is not met at the time of request for renewal.
+
Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
+
+
Clients that attempt to access Office 365 will be evaluated for the following properties:
+
- Is the device managed by an MDM?
- Is the device registered with Azure AD?
- Is the device compliant?
+
To get to a compliant state, the Windows 10-based device needs to:
+
- Enroll with an MDM solution.
- Register with Azure AD.
- Be compliant with the device policies set by the MDM solution.
-**Note**
-At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.
+
+>**Note:** At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.
### Cloud and on-premises apps conditional access control
+
Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access.
+
IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access.
+
For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](http://go.microsoft.com/fwlink/p/?LinkId=524807)
-**Note**
-Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](http://go.microsoft.com/fwlink/p/?LinkId=691617) site.
+
+>**Note:** Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](http://go.microsoft.com/fwlink/p/?LinkId=691617) site.
For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
+
- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](http://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server Technical Preview 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+
+
The following process describes how Azure AD conditional access works:
+
1. User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with Azure AD.
2. When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
@@ -544,34 +767,59 @@ The following process describes how Azure AD conditional access works:
12. Access gated by compliance claim in Azure AD.
13. If the device is compliant and the user is authorized, an access token is generated.
14. User can access the corporate managed asset.
+
For more information about Azure AD join, see the [Azure AD & Windows 10: Better Together for Work or School](http://go.microsoft.com/fwlink/p/?LinkId=691619) white paper.
+
Conditional access control is a topic that many organizations and IT pros may not know as well as they should. The different attributes that describe a user, a device, compliance, and context of access are very powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment.
+
## Takeaways and summary
+
The following list contains high-level key take-aways to improve the security posture of any organization. However, the few take-aways presented in this section should not be interpreted as an exhaustive list of security best practices.
+
- **Understand that no solution is 100 percent secure**
+
If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
+
- **Use health attestation with an MDM solution**
+
Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
+
- **Use Credential Guard**
+
Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
+
- **Use Device Guard**
+
Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
+
- **Sign Device Guard policy**
+
Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
+
- **Use virtualization-based security**
+
When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
+
- **Start to deploy Device Guard with Audit mode**
+
Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
+
- **Build an isolated reference machine when deploying Device Guard**
+
Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
+
- **Use AppLocker when it makes sense**
+
Although AppLocker is not considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user or a group of users.
+
- **Lock down firmware and configuration**
+
After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
+
Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution.
+
## Related topics
-[Protect derived domain credentials with Credential Guard](credential-guard.md)
-[Device Guard deployment guide](device-guard-deployment-guide.md)
-[Trusted Platform Module technology overview](http://go.microsoft.com/fwlink/p/?LinkId=733957)
-
-
+
+- [Protect derived domain credentials with Credential Guard](credential-guard.md)
+- [Device Guard deployment guide](device-guard-deployment-guide.md)
+- [Trusted Platform Module technology overview](http://go.microsoft.com/fwlink/p/?LinkId=733957)
diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index a1a5ed3f34..aaf71600b1 100644
--- a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -2,112 +2,163 @@
title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Protecting cluster shared volumes and storage area networks with BitLocker
+
**Applies to**
- Windows 10
+
This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+
BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume.
+
## Configuring BitLocker on Cluster Shared Volumes
+
### Using BitLocker with Clustered Volumes
+
BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS).
-**Important**
-SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx).
+
+>**Important** SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx).
-Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete.
+Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on
+BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete.
+
Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
-**Note**
-Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
+
+>**Note:** Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
-For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker.
+For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full
+Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker.
+
### Active Directory-based protector
+
You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
+
1. Clear key
2. Driver-based auto-unlock key
3. ADAccountOrGroup protector
+
1. Service context protector
2. User protector
+
4. Registry-based auto-unlock key
-**Note**
-A Windows Server 2012 or later domain controller is required for this feature to work properly.
+
+>**Note:** A Windows Server 2012 or later domain controller is required for this feature to work properly.
### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
+
BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following:
+
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Ensure the disk is formatted NTFS and has a drive letter assigned to it.
3. Enable BitLocker on the volume using your choice of protector. A password protector is used in the Windows PowerShell script example below.
+
``` syntax
Enable-BitLocker E: -PasswordProtector -Password $pw
```
+
4. Identify the name of the cluster with Windows PowerShell.
+
``` syntax
Get-Cluster
+
```
5. Add an **ADAccountOrGroup**protector to the volume using the cluster name using a command such as:
+
``` syntax
Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
- **Warning**
- You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
+
+ >**Warning:** You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
6. Repeat steps 1-6 for each disk in the cluster.
7. Add the volume(s) to the cluster.
+
### Turning on BitLocker for a clustered disk using Windows PowerShell
+
When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk:
+
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Check the status of the cluster disk using Windows PowerShell.
+
``` syntax
Get-ClusterResource "Cluster Disk 1"
```
+
3. Put the physical disk resource into maintenance mode using Windows PowerShell.
+
``` syntax
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
```
+
4. Enable BitLocker on the volume using your choice of protector. A password protector is used in the example below.
+
``` syntax
Enable-BitLocker E: -PasswordProtector -Password $pw
```
+
5. Identify the name of the cluster with Windows PowerShell
+
``` syntax
Get-Cluster
```
+
6. Add an **ADAccountOrGroup** protector with the Cluster Name Object (CNO) to the volume using a command such as:
+
``` syntax
Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
+
```
- **Warning**
- You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
+ >**Warning:** You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
7. Repeat steps 1-6 for each disk in the cluster.
8. Add the volume(s) to the cluster
+
### Adding BitLocker encrypted volumes to a cluster using manage-bde
+
You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following:
+
1. Verify the BitLocker Drive Encryption feature is installed on the computer.
2. Ensure new storage is formatted as NTFS.
3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example):
+
- `Manage-bde -on -used -RP -sid domain\CNO$ -sync`
+
1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption will continue.
2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool.
+
4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered
+
- Once the disk is clustered it can also be enabled for CSV.
+
5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted.
+
1. If the volume is not BitLocker enabled, traditional cluster online operations occur.
2. If the volume is BitLocker enabled, the following check occurs:
+
- If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail.
+
6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**".
CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below.
+
``` syntax
manage-bde -status "C:\ClusterStorage\volume1"
```
+
### Physical Disk Resources
+
Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available.
+
### Restrictions on BitLocker actions with cluster volumes
+
The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
+
@@ -211,11 +262,12 @@ The following table contains information about both Physical Disk Resources (i.e
-**Note**
-Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
+>**Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.
+
### Other considerations when using BitLocker on CSV2.0
+
Some other considerations to take into account for BitLocker on clustered storage include the following:
- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume.
- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
@@ -224,5 +276,3 @@ Some other considerations to take into account for BitLocker on clustered storag
- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster.
- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) will automatically resume conversion when moving the volume back from maintenance.
- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode.
-
-
diff --git a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md
index e1f339479c..4ef6ba5277 100644
--- a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md
@@ -2,88 +2,93 @@
title: Recovery console Allow automatic administrative logon (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow automatic administrative logon security policy setting.
ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Recovery console: Allow automatic administrative logon
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting.
+
## Reference
+
This policy setting determines whether the built-in Administrator account password must be provided before access to the device is granted. If you enable this setting, the built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required.
+
The Recovery Console can be very useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server.
+
### Possible values
+
- Enabled
+
The built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required
+
- Disabled
+
Automatic administrative logon is not allowed.
+
- Not defined
+
Automatic administrative logon is not allowed.
+
### Best practices
+
- Set **Recovery Console: Allow automatic administrative logon** to **Disabled**. This requires a user to enter a user name and password to access the Recovery Console account.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
Setting and deploying this policy using Group Policy takes precedence over the setting on the local device
+
### Policy conflicts
+
None.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
The Recovery Console can be very useful when you must troubleshoot and repair device that do not start. However, allowing automatic logon to the Recovery Console can make it possible for someone to assume full control of the server.
+
### Countermeasure
+
Disable the **Recovery console: Allow automatic administrative logon** setting.
+
### Potential impact
+
Users must enter a user name and password to access the Recovery Console.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index 113bafb66c..d8945335fa 100644
--- a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -2,95 +2,99 @@
title: Recovery console Allow floppy copy and access to all drives and folders (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow floppy copy and access to all drives and folders security policy setting.
ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Recovery console: Allow floppy copy and access to all drives and folders
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting.
+
## Reference
+
This policy setting enables or disables the Recovery Console SET command, which allows you to set the following Recovery Console environment variables.
+
- **AllowWildCards**. Enables wildcard support for some commands, such as the DEL command.
- **AllowAllPaths**. Allows access to all files and folders on the device.
- **AllowRemovableMedia**. Allows files to be copied to removable media, such as a floppy disk.
- **NoCopyPrompt**. Suppresses the prompt that typically displays before an existing file is overwritten.
+
You might forget to remove removable media, such as CD or floppy disk, with sensitive data or applications that a malicious user could then steal. Or you could accidentally leave a startup disk in the computer after using the Recovery Console. If the device is restarted for any reason and the BIOS has been configured to boot from the removable media before the hard disk drive, the server will start from the removable disk. This causes the server's network services to be unavailable.
+
### Possible values
+
- Enabled
- Disabled
- Not defined
+
### Best practices
+
- Set **Recovery Console: Allow floppy copy and access to drives and folders** to **Disabled**. Users who have started a server by using the Recovery Console and logged in with the built-in Administrator account will not be able to copy files and folders to a floppy disk.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
Setting and deploying this policy using Group Policy takes precedence over the setting on the local device.
+
### Policy conflicts
+
None.
+
### Command-line tools
+
Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables:
+
- AllowWildCards: Enable wildcard support for some commands (such as the DEL command).
- AllowAllPaths: Allow access to all files and folders on the device.
- AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk.
- NoCopyPrompt: Do not prompt when overwriting an existing file.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
An attacker who can cause the system to restart into the Recovery Console could steal sensitive data and leave no audit or access trail.
+
### Countermeasure
+
Disable the **Recovery console: Allow floppy copy and access to drives and folders** setting.
+
### Potential impact
+
Users who have started a server through the Recovery Console and logged in with the built-in Administrator account cannot copy files and folders to a floppy disk.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/refresh-an-applocker-policy.md b/windows/keep-secure/refresh-an-applocker-policy.md
index b94e1582a1..719bfb599b 100644
--- a/windows/keep-secure/refresh-an-applocker-policy.md
+++ b/windows/keep-secure/refresh-an-applocker-policy.md
@@ -2,39 +2,55 @@
title: Refresh an AppLocker policy (Windows 10)
description: This topic for IT professionals describes the steps to force an update for an AppLocker policy.
ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Refresh an AppLocker policy
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes the steps to force an update for an AppLocker policy.
+
If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy will take effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers.
+
To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md)
+
[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
+
To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
**To manually refresh the AppLocker policy by using Group Policy**
+
1. From a command prompt, type **gpupdate /force**, and then press ENTER.
2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this by checking the AppLocker event logs for events that include "policy applied."
-To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see:
+
+To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information
+about creating a new rule for an existing policy, see:
- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
**To refresh the AppLocker policy on the local computer**
+
- Update the rule collection by using the Local Security Policy console with one of the following procedures:
+
- [Edit AppLocker rules](edit-applocker-rules.md)
- [Delete an AppLocker rule](delete-an-applocker-rule.md)
- [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+
When finished, the policy is in effect.
+
To make the same change on another device, you can use any of the following methods:
+
- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do this, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer.
- **Caution**
- When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
+
+ >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
- Merge AppLocker policies. For procedures to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
-
-
diff --git a/windows/keep-secure/registry-global-object-access-auditing.md b/windows/keep-secure/registry-global-object-access-auditing.md
index cf9eaa2938..b734cec46b 100644
--- a/windows/keep-secure/registry-global-object-access-auditing.md
+++ b/windows/keep-secure/registry-global-object-access-auditing.md
@@ -2,19 +2,24 @@
title: Registry (Global Object Access Auditing) (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Registry (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the registry of a computer.
ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Registry (Global Object Access Auditing)
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer.
+
If you select the **Configure security** check box on this policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the registry. The specified SACL is then automatically applied to every registry object type.
+
This policy setting must be used in combination with the **Registry** security policy setting under Object Access. For more info, see [Audit Registry](audit-registry.md).
+
## Related topics
-[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
+
+- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md
index fa16818895..ee3b81a7d3 100644
--- a/windows/keep-secure/remove-computer-from-docking-station.md
+++ b/windows/keep-secure/remove-computer-from-docking-station.md
@@ -2,93 +2,96 @@
title: Remove computer from docking station (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Remove computer from docking station
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management, and security considerations for the **Remove computer from docking station** security policy setting.
+
## Reference
+
This security setting determines whether a user can undock a portable device from its docking station without logging on. This policy setting only affects scenarios that involve a portable computer and its docking station.
+
If this user right is assigned to the user’s account (or if the user is a member of the assigned group), the user must log on before removing the portable device from its docking station. Otherwise, as a security measure, the user will not be able to log on after the device is removed from the docking station. If this policy is not assigned, the user may remove the portable device from its docking station without logging on, and then have the ability to start and log on to the device afterwards in its undocked state.
+
Constant: SeUndockPrivilege
+
### Possible values
+
- User-defined list of accounts
- Not Defined
+
### Best practices
+
- Assign this user right to only those accounts that are permitted to use the portable device.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
Although this portable device scenario does not normally apply to servers, by default this setting is Administrators on domain controllers and on stand-alone servers.
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Administrators
-
-
-
Stand-Alone Server Default Settings
-
Administrators
-
-
-
Domain Controller Effective Default Settings
-
Administrators
-
-
-
Member Server Effective Default Settings
-
Administrators
-
-
-
Client Computer Effective Default Settings
-
Administrators
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the device is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
### Group Policy
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Anyone who has the **Remove computer from docking station** user right can log on and then remove a portable device from its docking station. If this setting is not defined, it has the same effect as if everyone was granted this right. However, the value of implementing this countermeasure is reduced by the following factors:
+
- If attackers can restart the device, they could remove it from the docking station after the BIOS starts but before the operating system starts.
- This setting does not affect servers because they typically are not installed in docking stations.
- An attacker could steal the device and the docking station together.
- Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
+
### Countermeasure
+
Ensure that only the local Administrators group and the user account to which the device is allocated are assigned the **Remove computer from docking station** user right.
+
### Potential impact
+
By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted this user right as necessary. If your organization's users are not members of the local Administrators groups on their portable devices, they cannot remove their portable devices from their docking stations if they do not first shut down the device. Therefore, you may want to assign the **Remove computer from docking station** privilege to the local Users group for portable devices.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/replace-a-process-level-token.md b/windows/keep-secure/replace-a-process-level-token.md
index 237f74debf..5361f2a589 100644
--- a/windows/keep-secure/replace-a-process-level-token.md
+++ b/windows/keep-secure/replace-a-process-level-token.md
@@ -2,96 +2,94 @@
title: Replace a process level token (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting.
ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Replace a process level token
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management, and security considerations for the **Replace a process level token** security policy setting.
+
## Reference
+
This policy setting determines which parent processes can replace the access token that is associated with a child process.
+
Specifically, the **Replace a process level token** setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler, where the user right is extended to any processes that can be managed by Task Scheduler.
+
An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account that is associated with the process or thread. With this user right, every child process that runs on behalf of this user account would have its access token replaced with the process level token.
+
Constant: SeAssignPrimaryTokenPrivilege
+
### Possible values
+
- User-defined list of accounts
- Defaults
- Not defined
+
### Best practices
+
- For member servers, ensure that only the Local Service and Network Service accounts have the **Replace a process level token** user right.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
By default this setting is Network Service and Local Service on domain controllers and on stand-alone servers.
+
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Network Service
-
Local Service
-
-
-
Stand-Alone Server Default Settings
-
Network Service
-
Local Service
-
-
-
Domain Controller Effective Default Settings
-
Network Service
-
Local Service
-
-
-
Member Server Effective Default Settings
-
Network Service
-
Local Service
-
-
-
Client Computer Effective Default Settings
-
Network Service
-
Local Service
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Network Service Local Service |
+| Stand-Alone Server Default Settings | Network Service Local Service|
+| Domain Controller Effective Default Settings | Network Service Local Service|
+| Member Server Effective Default Settings | Network Service Local Service|
+| Client Computer Effective Default Settings | Network Service Local Service|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the device is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
### Group Policy
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Users with the **Replace a process level token** user right can start processes as another user if they know the user’s credentials.
+
### Countermeasure
+
For member servers, ensure that only the Local Service and Network Service accounts have the **Replace a process level token** user right.
+
### Potential impact
+
On most computers, restricting the **Replace a process level token** user right to the Local Service and the Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Replace a process level token** user right to additional accounts. For example, IIS requires that the Service, Network Service, and IWAM\_*<ComputerName>* accounts be explicitly granted this user right.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
new file mode 100644
index 0000000000..890eaf1d99
--- /dev/null
+++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
@@ -0,0 +1,40 @@
+---
+title: Require Encryption When Accessing Sensitive Network Resources (Windows 10)
+description: Require Encryption When Accessing Sensitive Network Resources
+ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Require Encryption When Accessing Sensitive Network Resources
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted.
+
+For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
+
+The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
+
+
+
+This goal provides the following benefits:
+
+- Devices in the encryption zone require authentication to communicate with other devices. This works no differently from the domain isolation goal and design. For more info, see [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md).
+
+- Devices in the encryption zone require that all inbound and outbound network traffic be encrypted.
+
+ For example, Woodgrove Bank processes sensitive customer data on a device that must be protected from eavesdropping by devices on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data.
+
+- Devices in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more info, see [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md).
+
+The following components are required for this deployment goal:
+
+- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
+
+**Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md
index 996718cd10..e3b6c29aa7 100644
--- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md
+++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md
@@ -2,23 +2,30 @@
title: Requirements for deploying AppLocker policies (Windows 10)
description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Requirements for deploying AppLocker policies
+
**Applies to**
- Windows 10
+
This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
+
The following requirements must be met or addressed before you deploy your AppLocker policies:
- [Deployment plan](#bkmk-reqdepplan)
- [Supported operating systems](#bkmk-reqsupportedos)
- [Policy distribution mechanism](#bkmk-reqpolicydistmech)
- [Event collection and analysis system](#bkmk-reqeventcollectionsystem)
+
### Deployment plan
+
An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
@@ -116,6 +123,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
**Event processing policy**
+
@@ -153,6 +161,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
**Policy maintenance policy**
+
@@ -194,15 +203,20 @@ An AppLocker policy deployment plan is the result of investigating which applica
### Supported operating systems
+
AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
### Policy distribution mechanism
+
You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in.
+
### Event collection and analysis system
+
Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see:
- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
- [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
## See also
-[AppLocker deployment guide](applocker-policies-deployment-guide.md)
-
-
+
+- [AppLocker deployment guide](applocker-policies-deployment-guide.md)
diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md
index db3259ce0a..6389eb2755 100644
--- a/windows/keep-secure/requirements-to-use-applocker.md
+++ b/windows/keep-secure/requirements-to-use-applocker.md
@@ -2,211 +2,60 @@
title: Requirements to use AppLocker (Windows 10)
description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Requirements to use AppLocker
+
**Applies to**
- Windows 10
+
This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+
## General requirements
+
To use AppLocker, you need:
+
- A device running a supported operating system to create the rules. The computer can be a domain controller.
- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
- Devices running a supported operating system to enforce the AppLocker rules that you create.
-**Note**
-You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
+
+>**Note:** You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
## Operating system requirements
+
The following table show the on which operating systems AppLocker features are supported.
-
-
-
-
-
-
-
-
-
-
-
Version
-
Can be configured
-
Can be enforced
-
Available rules
-
Notes
-
-
-
-
-
Windows 10
-
Yes
-
Yes
-
Packaged apps
-
Executable
-
Windows Installer
-
Script
-
DLL
-
You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview.
-
-
-
Windows Server 2012 R2
-
Yes
-
Yes
-
Packaged apps
-
Executable
-
Windows Installer
-
Script
-
DLL
-
-
-
-
Windows 8.1
-
Yes
-
Yes
-
Packaged apps
-
Executable
-
Windows Installer
-
Script
-
DLL
-
Only the Enterprise edition supports AppLocker
-
-
-
Windows RT 8.1
-
No
-
No
-
N/A
-
-
-
-
Windows Server 2012 Standard
-
Yes
-
Yes
-
Packaged apps
-
Executable
-
Windows Installer
-
Script
-
DLL
-
-
-
-
Windows Server 2012 Datacenter
-
Yes
-
Yes
-
Packaged apps
-
Executable
-
Windows Installer
-
Script
-
DLL
-
-
-
-
Windows 8 Pro
-
No
-
No
-
N/A
-
-
-
-
Windows 8 Enterprise
-
Yes
-
Yes
-
Packaged apps
-
Executable
-
Windows Installer
-
Script
-
DLL
-
-
-
-
Windows RT
-
No
-
No
-
N/A
-
-
-
-
Windows Server 2008 R2 Standard
-
Yes
-
Yes
-
Executable
-
Windows Installer
-
Script
-
DLL
-
Packaged app rules will not be enforced.
-
-
-
Windows Server 2008 R2 Enterprise
-
Yes
-
Yes
-
Executable
-
Windows Installer
-
Script
-
DLL
-
Packaged app rules will not be enforced.
-
-
-
Windows Server 2008 R2 Datacenter
-
Yes
-
Yes
-
Executable
-
Windows Installer
-
Script
-
DLL
-
Packaged app rules will not be enforced.
-
-
-
Windows Server 2008 R2 for Itanium-Based Systems
-
Yes
-
Yes
-
Executable
-
Windows Installer
-
Script
-
DLL
-
Packaged app rules will not be enforced.
-
-
-
Windows 7 Ultimate
-
Yes
-
Yes
-
Executable
-
Windows Installer
-
Script
-
DLL
-
Packaged app rules will not be enforced.
-
-
-
Windows 7 Enterprise
-
Yes
-
Yes
-
Executable
-
Windows Installer
-
Script
-
DLL
-
Packaged app rules will not be enforced.
-
-
-
Windows 7 Professional
-
Yes
-
No
-
Executable
-
Windows Installer
-
Script
-
DLL
-
No AppLocker rules are enforced.
-
-
-
+
+| Version | Can be configured | Can be enforced | Available rules | Notes |
+| - | - | - | - | - |
+| Windows 10| Yes| Yes| Packaged apps Executable Windows Installer Script DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. |
+| Windows Server 2012 R2| Yes| Yes| Packaged apps Executable Windows Installer Script DLL| |
+| Windows 8.1| Yes| Yes| Packaged apps Executable Windows Installer Script DLL| Only the Enterprise edition supports AppLocker|
+| Windows RT 8.1| No| No| N/A||
+| Windows Server 2012 Standard| Yes| Yes| Packaged apps Executable Windows Installer Script DLL||
+| Windows Server 2012 Datacenter| Yes| Yes| Packaged apps Executable Windows Installer Script DLL||
+| Windows 8 Pro| No| No| N/A||
+| Windows 8 Enterprise| Yes| Yes| Packaged apps Executable Windows Installer Script DLL||
+| Windows RT| No| No| N/A| |
+| Windows Server 2008 R2 Standard| Yes| Yes| Executable Windows Installer Script DLL| Packaged app rules will not be enforced.|
+| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable Windows Installer Script DLL| Packaged app rules will not be enforced.|
+| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable Windows Installer Script DLL| Packaged app rules will not be enforced.|
+| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable Windows Installer Script DLL| Packaged app rules will not be enforced.|
+| Windows 7 Ultimate| Yes| Yes| Executable Windows Installer Script DLL| Packaged app rules will not be enforced.|
+| Windows 7 Enterprise| Yes| Yes| Executable Windows Installer Script DLL| Packaged app rules will not be enforced.|
+| Windows 7 Professional| Yes| No| Executable Windows Installer Script DLL| No AppLocker rules are enforced.|
+
AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
+
## See also
-[Administer AppLocker](administer-applocker.md)
-[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
-[Optimize AppLocker performance](optimize-applocker-performance.md)
-[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
-[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
-[AppLocker Design Guide](applocker-policies-design-guide.md)
-
-
+- [Administer AppLocker](administer-applocker.md)
+- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+- [Optimize AppLocker performance](optimize-applocker-performance.md)
+- [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
+- [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
+- [AppLocker Design Guide](applocker-policies-design-guide.md)
diff --git a/windows/keep-secure/reset-account-lockout-counter-after.md b/windows/keep-secure/reset-account-lockout-counter-after.md
index 04fdcce682..d3e6f545ed 100644
--- a/windows/keep-secure/reset-account-lockout-counter-after.md
+++ b/windows/keep-secure/reset-account-lockout-counter-after.md
@@ -2,76 +2,68 @@
title: Reset account lockout counter after (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting.
ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Reset account lockout counter after
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting.
+
## Reference
+
The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md).
+
A disadvantage to setting this too high is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls.
+
### Possible values
+
- A user-defined number of minutes from 1 through 99,999
- Not defined
+
### Best practices
+
- You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
+
### Location
+
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
+
### Default values
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or Group Policy Object (GPO)
-
Default value
-
-
-
-
-
Default domain policy
-
Not defined
-
-
-
Default domain controller policy
-
Not defined
-
-
-
Stand-alone server default settings
-
Not applicable
-
-
-
Domain controller effective default settings
-
Not defined
-
-
-
Member server effective default settings
-
Not defined
-
-
-
Client computer effective default settings
-
Not applicable
-
-
-
+
+| Server type or Group Policy Object (GPO) | Default value |
+| - | - |
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not applicable|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not applicable|
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Users can accidentally lock themselves out of their accounts if they mistype their password multiple times.
+
### Countermeasure
+
Configure the **Reset account lockout counter after** policy setting to 30.
+
### Potential impact
+
If you do not configure this policy setting or if the value is configured to an interval that is too long, an attacker could attempt to log on to each user's account numerous times and lock out their accounts, a denial-of-service (DoS) attack might succeed, or administrators might have to manually unlock all locked-out accounts. If you configure this policy setting to a reasonable value, users can perform new attempts to log on after a failed logon within a reasonable time, without making brute force attacks feasible at high speeds. Be sure that you notify users of the values that are used for this policy setting so that they wait for the lockout timer to expire before they call the Help Desk.
+
## Related topics
-[Account Lockout Policy](account-lockout-policy.md)
-
-
+
+- [Account Lockout Policy](account-lockout-policy.md)
diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md
index dc9f47c01a..e8bb7e6f85 100644
--- a/windows/keep-secure/restore-files-and-directories.md
+++ b/windows/keep-secure/restore-files-and-directories.md
@@ -2,102 +2,97 @@
title: Restore files and directories (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Restore files and directories
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management, and security considerations for the **Restore files and directories** security policy setting.
+
## Reference
+
This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories, and it determines which users can set valid security principals as the owner of an object.
+
Granting this user right to an account is similar to granting the account the following permissions to all files and folders on the system:
+
- **Traverse folder / execute file**
- **Write**
+
Constant: SeRestorePrivilege
+
### Possible values
+
- User-defined list of accounts
- Defaults
- Not Defined
+
### Best practices
+
- Users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, so only assign this user right to trusted users.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
By default, this right is granted to the Administrators, Backup Operators, and Server Operators groups on domain controllers, and to the Administrators and Backup Operators groups on stand-alone servers.
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
-
-
-
Default Domain Controller Policy
-
Administrators
-
Backup Operators
-
Server Operators
-
-
-
Stand-Alone Server Default Settings
-
Administrators
-
Backup Operators
-
-
-
Domain Controller Effective Default Settings
-
Administrators
-
Backup Operators
-
Server Operators
-
-
-
Member Server Effective Default Settings
-
Administrators
-
Backup Operators
-
-
-
Client Computer Effective Default Settings
-
Administrators
-
Backup Operators
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+|Default Domain Policy | |
+| Default Domain Controller Policy| Administrators Backup Operators Server Operators|
+| Stand-Alone Server Default Settings | Administrators Backup Operators|
+| Domain Controller Effective Default Settings | Administrators Backup Operators Server Operators|
+| Member Server Effective Default Settings | Administrators Backup Operators|
+| Client Computer Effective Default Settings | Administrators Backup Operators|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the computer is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
### Group Policy
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device
-**Note**
-Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
+
+>**Note:** Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
### Countermeasure
+
Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel.
+
### Potential impact
+
If you remove the **Restore files and directories** user right from the Backup Operators group and other accounts, users who are not members of the local Administrators group cannot load data backups. If restoring backups is delegated to a subset of IT staff in your organization, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
new file mode 100644
index 0000000000..049625343b
--- /dev/null
+++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
@@ -0,0 +1,44 @@
+---
+title: Restrict Access to Only Specified Users or Devices (Windows 10)
+description: Restrict Access to Only Specified Users or Devices
+ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Restrict Access to Only Specified Users or Computers
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
+
+Windows Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
+
+Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
+
+You can restrict access by specifying either computer or user credentials.
+
+The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server.
+
+
+
+This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features:
+
+- Isolated servers accept unsolicited inbound network traffic only from devices or users that are members of the NAG.
+
+- Isolated servers can be implemented as part of an isolated domain, and treated as another zone. Members of the zone group receive a GPO with rules that require authentication, and that specify that only network traffic authenticated as coming from a member of the NAG is allowed.
+
+- Server isolation can also be configured independently of an isolated domain. To do so, configure only the devices that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership.
+
+- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+
+The following components are required for this deployment goal:
+
+- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
+
+**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md
new file mode 100644
index 0000000000..d2b47a2dbe
--- /dev/null
+++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md
@@ -0,0 +1,54 @@
+---
+title: Restrict Access to Only Trusted Devices (Windows 10)
+description: Restrict Access to Only Trusted Devices
+ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Restrict Access to Only Trusted Devices
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required.
+
+To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
+
+>**Note:** Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
+
+The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
+
+The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
+
+
+
+These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits:
+
+- Devices in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another device in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason cannot perform IPsec authentication.
+
+ For example, Woodgrove Bank wants all of its devices to block all unsolicited inbound network traffic from any device that it does not manage. The connection security rules deployed to domain member devices require authentication as a domain member or by using a certificate before an unsolicited inbound network packet is accepted.
+
+- Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests.
+
+ For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required.
+
+These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices:
+
+- Devices in the "boundary zone" are configured to use connection security rules that request but do not require authentication. This enables them to receive unsolicited inbound network traffic from untrusted devices, and also to receive traffic from the other members of the isolated domain.
+
+ For example, Woodgrove Bank has a server that must be accessed by its partners' devices through the Internet. The rules applied to devices in the boundary zone use authentication when the client device can support it, but do not block the connection if the client device cannot authenticate.
+
+- Devices in the "encryption zone" require that all network traffic in and out must be encrypted to secure potentially sensitive material when it is sent over the network.
+
+ For example, Woodgrove Bank wants the devices running SQL Server to only transmit data that is encrypted to help protect the sensitive data stored on those devices.
+
+The following components are required for this deployment goal:
+
+- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
+
+**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
new file mode 100644
index 0000000000..85d7267abb
--- /dev/null
+++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
@@ -0,0 +1,44 @@
+---
+title: Restrict Server Access to Members of a Group Only (Windows 10)
+description: Restrict Server Access to Members of a Group Only
+ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Restrict Server Access to Members of a Group Only
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group.
+
+In this topic:
+
+- [Create a firewall rule to access isolated servers running Windows Server 2008 or later](#to-create-a-firewall-rule-that-grants-access-to-an-isolated-server)
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+## To create a firewall rule that grants access to an isolated server
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
+
+2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**.
+
+3. On the **Rule Type** page, click **Custom**, and then click **Next**.
+
+4. If you must restrict access to a single network program, then you can select **This program path**, and specify the program or service to which to grant access. Otherwise, click **All programs**, and then click **Next**.
+
+5. If you must restrict access to only some TCP or UDP port numbers, then enter the port numbers on the **Protocol and Ports** page. Otherwise, set **Protocol type** to **Any**, and then click **Next**.
+
+6. On the **Scope** page, select **Any IP address** for both local and remote addresses, and then click **Next**.
+
+7. On the **Action** page, click **Allow the connection if it is secure**. If required by your design, you can also click **Customize** and select **Require the connections to be encrypted**. Click **Next**.
+
+8. On the **Users and Computers** page, select the check box for the type of accounts (computer or user) you want to allow, click **Add**, and then enter the group account that contains the device and user accounts permitted to access the server.
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
index 9eb59d5dc1..9e6debeb0f 100644
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
@@ -4,9 +4,10 @@ description: IT professionals can run a scan using the command line in Windows D
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
diff --git a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md
index 105d076374..565f6331da 100644
--- a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md
+++ b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md
@@ -2,19 +2,26 @@
title: Run the Automatically Generate Rules wizard (Windows 10)
description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Run the Automatically Generate Rules wizard
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
+
AppLocker allows you to automatically generate rules for all files within a folder. It will scan the specified folder and create the condition types that you choose for each file in that folder.
+
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local device or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
**To automatically generate rules**
+
1. Open the AppLocker console.
2. Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules.
3. Click **Automatically Generate Rules**.
@@ -22,15 +29,13 @@ You can perform this task by using the Group Policy Management Console for an Ap
5. Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group.
6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**.
7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
- **Note**
- The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select:
+
+ >**Note:** The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select:
+
- One publisher condition is created for all files that have the same publisher and product name.
- One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**.
- One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file.
8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**.
-**Note**
-If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.
-
-
-
+
+>**Note:** If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.
diff --git a/windows/keep-secure/script-rules-in-applocker.md b/windows/keep-secure/script-rules-in-applocker.md
index 5f1570086a..6fd0ec9196 100644
--- a/windows/keep-secure/script-rules-in-applocker.md
+++ b/windows/keep-secure/script-rules-in-applocker.md
@@ -2,61 +2,35 @@
title: Script rules in AppLocker (Windows 10)
description: This topic describes the file formats and available default rules for the script rule collection.
ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Script rules in AppLocker
+
**Applies to**
- Windows 10
+
This topic describes the file formats and available default rules for the script rule collection.
+
AppLocker defines script rules to include only the following file formats:
- .ps1
- .bat
- .cmd
- .vbs
- .js
+
The following table lists the default rules that are available for the script rule collection.
-
-
-
-
-
-
-
-
-
-
Purpose
-
Name
-
User
-
Rule condition type
-
-
-
-
-
Allows members of the local Administrators group to run all scripts
-
(Default Rule) All scripts
-
BUILTIN\Administrators
-
Path: *
-
-
-
Allow all users to run scripts in the Windows folder
-
(Default Rule) All scripts located in the Windows folder
-
Everyone
-
Path: %windir%\*
-
-
-
Allow all users to run scripts in the Program Files folder
-
(Default Rule) All scripts located in the Program Files folder
-
Everyone
-
Path: %programfiles%\*
-
-
-
+
+| Purpose | Name | User | Rule condition type |
+| - | - | - | - |
+| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *|
+| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
+| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
## Related topics
-[Understanding AppLocker default rules](understanding-applocker-default-rules.md)
-
-
+
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
diff --git a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md
index 768c9de4a0..e3f6f2ce53 100644
--- a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md
@@ -2,22 +2,28 @@
title: Advanced security audit policy settings (Windows 10)
description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Advanced security audit policy settings
+
**Applies to**
- Windows 10
+
Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
+
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
+
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
+
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local device or by using Group Policy.
+
These Advanced Audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
+
For more info, see [Advanced security audit policies](advanced-security-auditing.md).
-
-
diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md
new file mode 100644
index 0000000000..fa9c66bfb4
--- /dev/null
+++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -0,0 +1,189 @@
+---
+title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10)
+description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Securing End-to-End IPsec connections by using IKEv2
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+IKEv2 offers the following:
+
+- Supports IPsec end-to-end transport mode connections
+
+- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security
+
+- Supports Suite B (RFC 4869) requirements
+
+- Coexists with existing policies that deploy AuthIP/IKEv1
+
+- Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface.
+
+- Uses certificates for the authentication mechanism
+
+You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection.
+
+**In this document**
+
+- [Prerequisites](#prerequisites)
+
+- [Devices joined to a domain](#devices-joined-to-a-domain)
+
+- [Device not joined to a domain](#devices-not-joined-to-a-domain)
+
+- [Troubleshooting](#troubleshooting)
+
+>**Note:** This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693).
+
+## Prerequisites
+
+These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication.
+
+## Devices joined to a domain
+
+The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
+
+
+
+**Figure 1** The Contoso corporate network
+
+This script does the following:
+
+- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members.
+
+- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain.
+
+- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**.
+
+- Indicates the certificate to use for authentication.
+
+ >**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
+
+- Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
+
+**Windows PowerShell commands**
+
+Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
+
+``` syntax
+# Create a Security Group for the computers that will get the policy
+$pathname = (Get-ADDomain).distinguishedname
+New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" `
+-GroupCategory security -GroupScope Global -path $pathname
+
+# Add test computers to the Security Group
+$computer = Get-ADComputer -LDAPFilter "(name=client1)"
+Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
+$computer = Get-ADComputer -LDAPFilter "(name=server1)"
+Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
+
+# Create and link the GPO to the domain
+$gpo = New-gpo IPsecRequireInRequestOut
+$gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes
+
+# Set permissions to security group for the GPO
+$gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Group -PermissionLevel GpoApply -Replace
+$gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace
+
+#Set up the certificate for authentication
+$gponame = "corp.contoso.com\IPsecRequireInRequestOut"
+$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
+$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame
+
+#Create the IKEv2 Connection Security rule
+New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
+-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame
+```
+
+## Devices not joined to a domain
+
+Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection.
+
+>**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
+
+**Windows PowerShell commands**
+
+Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
+
+``` syntax
+#Set up the certificate
+$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
+$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop
+
+#Create the IKEv2 Connection Security rule
+New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
+-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2
+```
+
+Make sure that you install the required certificates on the participating computers.
+
+>**Note:**
+- For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
+- You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
+- For remote devices, you can create a secure website to facilitate access to the script and certificates.
+
+## Troubleshooting
+
+Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
+
+**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
+
+1. Open the Windows Firewall with Advanced Security console.
+
+2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
+
+3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
+
+**Use Windows PowerShell cmdlets to display the security associations.**
+
+1. Open a Windows PowerShell command prompt.
+
+2. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations.
+
+3. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations.
+
+**Use netsh to capture IPsec events.**
+
+1. Open an elevated command prompt.
+
+2. At the command prompt, type **netsh wfp capture start**.
+
+3. Reproduce the error event so that it can be captured.
+
+4. At the command prompt, type **netsh wfp capture stop**.
+
+ A wfpdiag.cab file is created in the current folder.
+
+5. Open the cab file, and then extract the wfpdiag.xml file.
+
+6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
+
+ ``` syntax
+
+ ERROR_IPSEC_IKE_NO_CERT
+ 32
+
+ ```
+ In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error.
+
+You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues.
+
+## See also
+
+- [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/security-auditing-overview.md b/windows/keep-secure/security-auditing-overview.md
index ee62474c85..cde9b0865f 100644
--- a/windows/keep-secure/security-auditing-overview.md
+++ b/windows/keep-secure/security-auditing-overview.md
@@ -2,42 +2,31 @@
title: Security auditing (Windows 10)
description: Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Security auditing
+
**Applies to**
- Windows 10
+
Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
+
##
+
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
+
For info on the changes that were added in Windows 10, see [Security auditing](../whats-new/security-auditing.md).
+
## In this section
-
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.
-
-
-
+| Topic | Description |
+| - | - |
+|[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. |
+|[Advanced security audit policies](advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. |
diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md
index 023305b4f1..f7c0df0eab 100644
--- a/windows/keep-secure/security-considerations-for-applocker.md
+++ b/windows/keep-secure/security-considerations-for-applocker.md
@@ -2,33 +2,45 @@
title: Security considerations for AppLocker (Windows 10)
description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Security considerations for AppLocker
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
-The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for AppLocker:
+
+The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for
+AppLocker:
+
AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions.
+
AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer.
+
Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/ee460962.aspx).
+
AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy.
+
When securing files in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it is still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy.
+
AppLocker does not protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe.
+
You cannot use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem.
+
AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros.
-**Important**
-You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
+
+>**Important:** You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.
-**Note**
-Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded.
+
+>**Note:** Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded.
## Related topics
-[AppLocker technical reference](applocker-technical-reference.md)
-
-
+
+- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/keep-secure/security-options.md b/windows/keep-secure/security-options.md
index 1e083a249a..2d25a87621 100644
--- a/windows/keep-secure/security-options.md
+++ b/windows/keep-secure/security-options.md
@@ -2,417 +2,127 @@
title: Security Options (Windows 10)
description: Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting.
ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Security Options
+
**Applies to**
- Windows 10
+
Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.
+
The **Security Options** contain the following groupings of security policy settings that allow you to configure the behavior of the local computer. Some of these policies can be included in a Group Policy Object and distributed over your organization.
+
If you edit policy settings locally on a device, you will affect the settings on only that one device. If you configure the settings in a Group Policy Object (GPO), the settings apply to all devices that are subject to that GPO.
+
For info about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
+
## In this section
-
Describes the best practices, location, values, and security considerations for the Accounts: Administrator account status security policy setting.
-
-
-
[Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md)
-
Describes the best practices, location, values, management, and security considerations for the Accounts: Block Microsoft accounts security policy setting.
Describes the best practices, location, values, and security considerations for the Accounts: Guest account status security policy setting.
-
-
-
[Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
-
Describes the best practices, location, values, and security considerations for the Accounts: Limit local account use of blank passwords to console logon only security policy setting.
This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
Describes the best practices, location, values, and security considerations for the Accounts: Rename guest account security policy setting.
-
-
-
[Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md)
-
Describes the best practices, location, values, and security considerations for the Audit: Audit the access of global system objects security policy setting.
-
-
-
[Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md)
-
Describes the best practices, location, values, and security considerations for the Audit: Audit the use of Backup and Restore privilege security policy setting.
-
-
-
[Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md)
-
Describes the best practices, location, values, and security considerations for the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting.
-
-
-
[Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
-
Describes the best practices, location, values, management practices, and security considerations for the Audit: Shut down system immediately if unable to log security audits security policy setting.
-
-
-
[DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-
Describes the best practices, location, values, and security considerations for the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting.
-
-
-
[DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-
Describes the best practices, location, values, and security considerations for the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.
-
-
-
[Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)
-
Describes the best practices, location, values, and security considerations for the Devices: Allow undock without having to log on security policy setting.
-
-
-
[Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md)
-
Describes the best practices, location, values, and security considerations for the Devices: Allowed to format and eject removable media security policy setting.
-
-
-
[Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md)
-
Describes the best practices, location, values, and security considerations for the Devices: Prevent users from installing printer drivers security policy setting.
-
-
-
[Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
-
Describes the best practices, location, values, and security considerations for the Devices: Restrict CD-ROM access to locally logged-on user only security policy setting.
-
-
-
[Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
-
Describes the best practices, location, values, and security considerations for the Devices: Restrict floppy access to locally logged-on user only security policy setting.
-
-
-
[Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)
-
Describes the best practices, location, values, and security considerations for the Domain controller: Allow server operators to schedule tasks security policy setting.
-
-
-
[Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)
-
Describes the best practices, location, values, and security considerations for the Domain controller: LDAP server signing requirements security policy setting.
Describes the best practices, location, values, and security considerations for the Domain controller: Refuse machine account password changes security policy setting.
-
-
-
[Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
-
Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt or sign secure channel data (always) security policy setting.
-
-
-
[Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
-
Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt secure channel data (when possible) security policy setting.
-
-
-
[Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
-
Describes the best practices, location, values, and security considerations for the Domain member: Digitally sign secure channel data (when possible) security policy setting.
Describes the best practices, location, values, and security considerations for the Domain member: Disable machine account password changes security policy setting.
-
-
-
[Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
-
Describes the best practices, location, values, and security considerations for the Domain member: Maximum machine account password age security policy setting.
-
-
-
[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
-
Describes the best practices, location, values, and security considerations for the Domain member: Require strong (Windows 2000 or later) session key security policy setting.
-
-
-
[Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
-
Describes the best practices, location, values, and security considerations for the Interactive logon: Display user information when the session is locked security policy setting.
-
-
-
[Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)
-
Describes the best practices, location, values, and security considerations for the Interactive logon: Do not display last user name security policy setting.
-
-
-
[Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
-
Describes the best practices, location, values, and security considerations for the Interactive logon: Do not require CTRL+ALT+DEL security policy setting.
Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine account lockout threshold security policy setting.
Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine inactivity limit security policy setting.
-
-
-
[Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
-
Describes the best practices, location, values, management, and security considerations for the Interactive logon: Message text for users attempting to log on security policy setting.
-
-
-
[Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
-
Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Message title for users attempting to log on security policy setting.
-
-
-
[Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
-
Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting.
-
-
-
[Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)
-
Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Prompt user to change password before expiration security policy setting.
-
-
-
[Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
-
Describes the best practices, location, values, policy management, and security considerations for the Interactive logon: Require Domain Controller authentication to unlock workstation security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Require smart card security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Smart card removal behavior security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Digitally sign communications (always) security policy setting.
-
-
-
[Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
-
Describes the best practices, location, values, and security considerations for the Microsoft network client: Digitally sign communications (if server agrees) security policy setting.
-
-
-
[Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
-
Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Send unencrypted password to third-party SMB servers security policy setting.
-
-
-
[Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
-
Describes the best practices, location, values, and security considerations for the Microsoft network server: Amount of idle time required before suspending session security policy setting.
-
-
-
[Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
-
Describes the best practices, location, values, management, and security considerations for the Microsoft network server: Attempt S4U2Self to obtain claim information security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (always) security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (if client agrees) security policy setting.
-
-
-
[Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
-
Describes the best practices, location, values, and security considerations for the Microsoft network server: Disconnect clients when logon hours expire security policy setting.
-
-
-
[Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)
-
Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server: Server SPN target name validation level security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Network access: Allow anonymous SID/Name translation security policy setting.
-
-
-
[Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
-
Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts security policy setting.
-
-
-
[Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
-
Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts and shares security policy setting.
-
-
-
[Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network access: Do not allow storage of passwords and credentials for network authentication security policy setting.
-
-
-
[Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network access: Let Everyone permissions apply to anonymous users security policy setting.
-
-
-
[Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network access: Named Pipes that can be accessed anonymously security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Network access: Remotely accessible registry paths security policy setting.
-
-
-
[Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)
-
Describes the best practices, location, values, and security considerations for the Network access: Remotely accessible registry paths and subpaths security policy setting.
-
-
-
[Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network access: Restrict anonymous access to Named Pipes and Shares security policy setting.
-
-
-
[Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network access: Shares that can be accessed anonymously security policy setting.
-
-
-
[Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network access: Sharing and security model for local accounts security policy setting.
-
-
-
[Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
-
Describes the location, values, policy management, and security considerations for the Network security: Allow Local System to use computer identity for NTLM security policy setting.
Describes the best practices, location, values, and security considerations for the Network security: Allow LocalSystem NULL session fallback security policy setting.
-
-
-
[Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
-
Describes the best practices, location, and values for the Network Security: Allow PKU2U authentication requests to this computer to use online identities security policy setting.
-
-
-
[Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)
-
Describes the best practices, location, values and security considerations for the Network security: Configure encryption types allowed for Kerberos Win7 only security policy setting.
-
-
-
[Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network security: Do not store LAN Manager hash value on next password change security policy setting.
-
-
-
[Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network security: Force logoff when logon hours expire security policy setting.
-
-
-
[Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network security: LAN Manager authentication level security policy setting.
This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system.
-
-
-
[Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting.
-
-
-
[Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
-
Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting.
-
-
-
[Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
-
Describes the best practices, location, values, management aspects, and security considerations for the Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication security policy setting.
-
-
-
[Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
-
Describes the best practices, location, values, management aspects, and security considerations for the Network security: Restrict NTLM: Add server exceptions in this domain security policy setting.
Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Audit incoming NTLM traffic security policy setting.
-
-
-
[Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
-
Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Audit NTLM authentication in this domain security policy setting.
Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Incoming NTLM traffic security policy setting.
-
-
-
[Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
-
Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: NTLM authentication in this domain security policy setting.
-
-
-
[Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
-
Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Recovery console: Allow automatic administrative logon security policy setting.
-
-
-
[Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
-
Describes the best practices, location, values, policy management and security considerations for the Recovery console: Allow floppy copy and access to all drives and folders security policy setting.
-
-
-
[Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
-
Describes the best practices, location, values, policy management and security considerations for the Shutdown: Allow system to be shut down without having to log on security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Shutdown: Clear virtual memory pagefile security policy setting.
-
-
-
[System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
-
Describes the best practices, location, values, policy management and security considerations for the System cryptography: Force strong key protection for user keys stored on the computer security policy setting.
-
-
-
[System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
-
This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.
-
-
-
[System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
-
Describes the best practices, location, values, policy management and security considerations for the System objects: Require case insensitivity for non-Windows subsystems security policy setting.
-
-
-
[System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)
-
Describes the best practices, location, values, policy management and security considerations for the System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting.
Describes the best practices, location, values, policy management and security considerations for the System settings: Optional subsystems security policy setting.
-
-
-
[System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
-
Describes the best practices, location, values, policy management and security considerations for the System settings: Use certificate rules on Windows executables for Software Restriction Policies security policy setting.
-
-
-
[User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Admin Approval Mode for the Built-in Administrator account security policy setting.
-
-
-
[User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
-
Describes the best practices, location, values, and security considerations for the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting.
-
-
-
[User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting.
-
-
-
[User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Behavior of the elevation prompt for standard users security policy setting.
-
-
-
[User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Detect application installations and prompt for elevation security policy setting.
-
-
-
[User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Only elevate executables that are signed and validated security policy setting.
-
-
-
[User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Only elevate UIAccess applications that are installed in secure locations security policy setting.
-
-
-
[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Run all administrators in Admin Approval Mode security policy setting.
-
-
-
[User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Switch to the secure desktop when prompting for elevation security policy setting.
-
-
-
[User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
-
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Virtualize file and registry write failures to per-user locations security policy setting.
-
-
-
+
+| Topic | Description |
+| - | - |
+| [Accounts: Administrator account status](accounts-administrator-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.|
+| [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md) | Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.|
+| [Accounts: Guest account status](accounts-guest-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.|
+| [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting. |
+| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.|
+| [Accounts: Rename guest account](accounts-rename-guest-account.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.|
+| [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.|
+| [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.|
+| [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md) | Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. |
+| [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)| Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. |
+| [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)| Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. |
+| [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)| Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. |
+| [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)| Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting.|
+| [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md) | Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting.|
+| [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md) | Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting.|
+| [Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) | Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. |
+| [Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)| Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. |
+| [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)| Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. |
+| [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)| Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. |
+| [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md) | Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.|
+| [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) | Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. |
+| [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. |
+| [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting.|
+| [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting.
+| [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.|
+|[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. |
+| [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. |
+| [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.|
+| [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.|
+| [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.|
+| [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.|
+| [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. |
+| [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. |
+| [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. |
+| [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. |
+| [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. |
+| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.|
+| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.|
+| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. |
+| [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. |
+| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. |
+| [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. |
+| [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. |
+| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.|
+| [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. |
+| [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. |
+| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. |
+| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.|
+| [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. |
+| [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. |
+| [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. |
+| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. |
+| [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. |
+| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.|
+| [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. |
+| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. |
+| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. |
+| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. |
+| [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. |
+| [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)| Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.|
+| [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)| Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. |
+| [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)| Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. |
+| [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. |
+| [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. |
+| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting.|
+| [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) | This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. |
+| [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. |
+| [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. |
+| [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. |
+| [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. |
+| [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. |
+| [Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting. |
+| [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. |
+| [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. |
+| [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. |
+| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. |
+| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. |
+| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
+| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.|
+| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. |
+| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. |
+| [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. |
+| [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting. |
+| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting.|
+| [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)| Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. |
+| [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. |
+| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)| Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. |
+| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. |
+| [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. |
+| [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. |
+| [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. |
+| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. |
+| [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. |
+| [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. |
+| [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. |
## Related topics
-[Security policy settings reference](security-policy-settings-reference.md)
-[Security policy settings](security-policy-settings.md)
-
-
+
+- [Security policy settings reference](security-policy-settings-reference.md)
+- [Security policy settings](security-policy-settings.md)
diff --git a/windows/keep-secure/security-policy-settings-reference.md b/windows/keep-secure/security-policy-settings-reference.md
index 83e2f87051..4023dfc66f 100644
--- a/windows/keep-secure/security-policy-settings-reference.md
+++ b/windows/keep-secure/security-policy-settings-reference.md
@@ -2,53 +2,32 @@
title: Security policy settings reference (Windows 10)
description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Security policy settings reference
+
**Applies to**
- Windows 10
+
This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
+
This reference focuses on those settings that are considered security settings. This reference examines only the settings and features in the Windows operating systems that can help organizations secure their enterprises against malicious software threats. Management features and those security features that you cannot configure are not described in this reference.
+
Each policy setting described contains referential content such as a detailed explanation of the settings, best practices, default settings, differences between operating system versions, policy management considerations, and security considerations that include a discussion of vulnerability, countermeasures, and potential impact of those countermeasures.
+
## In this section
-
-
-
-
-
-
-
-
Topic
-
Description
-
-
-
-
-
[Account Policies](account-policies.md)
-
An overview of account policies in Windows and provides links to policy descriptions.
-
-
-
[Audit Policy](audit-policy.md)
-
Provides information about basic audit policies that are available in Windows and links to information about each setting.
-
-
-
[Security Options](security-options.md)
-
Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting.
Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
-
-
-
[User Rights Assignment](user-rights-assignment.md)
-
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
-
-
-
-
+
+| Topic | Description |
+| - | - |
+| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
+| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
+| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
+| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
+| [User Rights Assignment](user-rights-assignment.md) | Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. |
diff --git a/windows/keep-secure/security-policy-settings.md b/windows/keep-secure/security-policy-settings.md
index fb4adf5d9d..f9ea234685 100644
--- a/windows/keep-secure/security-policy-settings.md
+++ b/windows/keep-secure/security-policy-settings.md
@@ -2,111 +2,191 @@
title: Security policy settings (Windows 10)
description: This reference topic describes the common scenarios, architecture, and processes for security settings.
ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Security policy settings
+
**Applies to**
- Windows 10
+
This reference topic describes the common scenarios, architecture, and processes for security settings.
+
Security policy settings are rules that administrators configure on a computer or multiple devices for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization.
+
Security settings can control:
+
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a user’s or group’s actions in the event log.
- Membership in a group.
+
To manage security configurations for multiple devices, you can use one of the following options:
+
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security.
+
For more info about managing security configurations, see [Administer security policy settings](administer-security-policy-settings.md).
+
The Security Settings extension of the Local Group Policy Editor includes the following types of security policies:
+
- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
+
- **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
- **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
- **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
+
- **Local Policies.** These policies apply to a computer and include the following types of policy settings:
+
- **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
- **Note**
- For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
+
+ >**Note:** For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
- **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
- **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
+
- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network.
- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings.
- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
-- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
+- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under
+Local Policies.
+
## Policy-based security settings management
+
The Security Settings extension to Group Policy provides an integrated policy-based management infrastructure to help you manage and enforce your security policies.
+
You can define and apply security settings policies to users, groups, and network servers and clients through Group Policy and Active Directory Domain Services (AD DS). A group of servers with the same functionality can be created (for example, a Microsoft Web (IIS) server), and then Group Policy Objects can be used to apply common security settings to the group. If more servers are added to this group later, many of the common security settings are automatically applied, reducing deployment and administrative labor.
+
### Common scenarios for using security settings policies
+
Security settings policies are used to manage the following aspects of security: accounts policy, local policy, user rights assignment, registry values, file and registry Access Control Lists (ACLs), service startup modes, and more.
+
As part of your security strategy, you can create GPOs with security settings policies configured specifically for the various roles in your organization, such as domain controllers, file servers, member servers, clients, and so on.
+
You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO.
-Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
-**Note**
-These refresh settings vary between versions of the operating system and can be configured.
+
+Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random
+offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
+
+>**Note:** These refresh settings vary between versions of the operating system and can be configured.
By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future.
+
### Dependencies on other operating system technologies
+
For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on the following technologies:
+
- **Active Directory Domain Services (AD DS)**
+
The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
+
- **Group Policy**
+
The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
+
- **Domain Name System (DNS)**
+
A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
+
- **Winlogon**
+
A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
+
- **Setup**
+
Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server.
+
- **Security Accounts Manager (SAM)**
+
A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
+
- **Local Security Authority (LSA)**
+
A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
+
- **Windows Management Instrumentation (WMI)**
+
A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
+
- **Resultant Set of Policy (RSoP)**
+
An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device.
+
- **Service Control Manager (SCM)**
+
Used for configuration of service startup modes and security.
+
- **Registry**
+
Used for configuration of registry values and security.
+
- **File system**
+
Used for configuration of security.
+
- **File system conversions**
+
Security is set when an administrator converts a file system from FAT to NTFS.
+
- **Microsoft Management Console (MMC)**
+
The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in.
+
### Security settings policies and Group Policy
+
The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tool set. The following components are associated with Security Settings: a configuration engine; an analysis engine; a template and database interface layer; setup integration logic; and the secedit.exe command-line tool. The security configuration engine is responsible for handling security configuration editor-related security requests for the system on which it runs. The analysis engine analyzes system security for a given configuration and saves the result. The template and database interface layer handles reading and writing requests from and to the template or database (for internal storage). The Security Settings extension of the Local Group Policy Editor handles Group Policy from a domain-based or local device. The security configuration logic integrates with setup and manages system security for a clean installation or upgrade to a more recent Windows operating system. Security information is stored in templates (.inf files) or in the Secedit.sdb database.
+
The following diagram shows Security Settings and related features.
+
**Security Settings Policies and Related Features**
+
+
- **Scesrv.dll**
+
Provides the core security engine functionality.
+
- **Scecli.dll**
+
Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP).
+
- **Wsecedit.dll**
+
The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface.
+
- **Gpedit.dll**
+
The Local Group Policy Editor MMC snap-in.
+
## Security Settings extension architecture
+
The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tools, as shown in the following diagram.
+
**Security Settings Architecture**
+
+
The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll.
+
The following list describes these primary features of the security configuration engine and other Security Settings−related features.
+
- **scesrv.dll**
+
This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation.
+
Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.
+
Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not.
+
Communication between parts of the Security Settings extension occurs by using the following methods:
+
- Component Object Model (COM) calls
- Local Remote Procedure Call (LRPC)
- Lightweight Directory Access Protocol (LDAP)
@@ -114,146 +194,204 @@ The following list describes these primary features of the security configuratio
- Server Message Block (SMB)
- Win32 APIs
- Windows Management Instrumentation (WMI) calls
+
On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs.
Scesrv.dll also performs configuration and analysis operations.
+
- **Scecli.dll**
+
This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files.
+
The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll.
+
Scecli.dll implements the client-side extension for Group Policy.
+
Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device.
+
Scecli.dll logs application of security policy into WMI (RSoP).
+
Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA.
+
- **Wsecedit.dll**
+
The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO.
+
- **Secedit.sdb**
+
This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes.
+
- **User databases**
+
A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security.
+
- **.Inf Templates**
- These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation.
+
+ These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into
+ the system database during policy propagation.
+
## Security settings policy processes and interactions
+
For a domain-joined device, where Group Policy is administered, security settings are processed in conjunction with Group Policy. Not all settings are configurable.
+
### Group Policy processing
+
When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence:
+
1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
2. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
+
- Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
- The location of the device in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
+
3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
5. The user presses CTRL+ALT+DEL to log on.
6. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
7. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
+
- Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
- Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
- The location of the user in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
+
8. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
9. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last.
10. The operating system user interface that is prescribed by Group Policy appears.
+
### Group Policy Objects storage
+
A Group Policy Object (GPO) is a virtual object that is identified by a Globally Unique Identifier (GUID) and stored at the domain level. The policy setting information of a GPO is stored in the following two locations:
+
- **Group Policy containers in Active Directory.**
+
The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
+
- **Group Policy templates in a domain’s system volume folder (SYSVOL).**
+
The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder.
+
The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO.
+
### Group Policy processing order
+
Group Policy settings are processed in the following order:
+
1. **Local Group Policy Object.**
+
Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
+
2. **Site.**
+
Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
+
3. **Domain.**
+
Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
+
4. **Organizational units.**
+
Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
+
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy Objects can be linked. If several Group Policy Objects are linked to an organizational unit, their processing is synchronous and in an order that you specify.
+
This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects.
+
This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked.
+
### Security settings policy processing
+
In the context of Group Policy processing, security settings policy is processed in the following order.
+
1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
2. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
3. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
4. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
+
This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
+
**Multiple GPOs and Merging of Security Policy**
+
+
5. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
6. The security settings policies are applied to devices.
The following figure illustrates the security settings policy processing.
+
**Security Settings Policy Processing**
+
+
### Merging of security policies on domain controllers
+
Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged:
+
- Network Security: Force logoff when logon hours expire
- Accounts: Administrator account status
- Accounts: Guest account status
- Accounts: Rename administrator account
- Accounts: Rename guest account
+
Another mechanism exists that allows security policy changes made by administrators by using net accounts to be merged into the Default Domain Policy GPO. User rights changes that are made by using Local Security Authority (LSA) APIs are filtered into the Default Domain Controllers Policy GPO.
+
### Special considerations for domain controllers
+
If an application is installed on a primary domain controller (PDC) with operations master role (also known as flexible single master operations or FSMO) and the application makes changes to user rights or password policy, these changes must be communicated to ensure that synchronization across domain controllers occurs. Scesrv.dll receives a notification of any changes made to the security account manager (SAM) and LSA that need to be synchronized across domain controllers and then incorporates the changes into the Default Domain Controller Policy GPO by using scecli.dll template modification APIs.
+
### When security settings are applied
+
After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances:
+
- When a device is restarted.
- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable.
- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed.
+
### Persistence of security settings policy
+
Security settings can persist even if a setting is no longer defined in the policy that originally applied it.
+
Security settings might persist in the following cases:
+
- The setting has not been previously defined for the device.
- The setting is for a registry security object.
- The settings are for a file system security object.
-All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. This behavior is sometimes referred to as “tattooing.”
+
+All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is.
+This behavior is sometimes referred to as “tattooing.”
+
Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values.
+
### Permissions required for policy to apply
+
Both Apply Group Policy and Read permissions are required to have the settings from a Group Policy Object apply to users or groups, and computers.
+
### Filtering security policy
+
By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU.
-**Note**
-Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
+
+**Note:** Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
### Migration of GPOs containing security settings
+
In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings.
+
Data for a single GPO is stored in multiple locations and in various formats; some data is contained in Active Directory and other data is stored on the SYSVOL share on the domain controllers. Certain policy data might be valid in one domain but might be invalid in the domain to which the GPO is being copied. For example, Security Identifiers (SIDs) stored in security policy settings are often domain-specific. So copying GPOs is not as simple as taking a folder and copying it from one device to another.
+
The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another.
+
- User rights assignment
- Restricted groups
- Services
- File system
- Registry
- The GPO DACL, if you choose to preserve it during a copy operation
+
To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs.
+
## In this section
-
This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
-
-
-
-
-
-
+
+| Topic | Description |
+| - | - |
+| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
+| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
+| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md
index b1beb54dd3..19a6af38ba 100644
--- a/windows/keep-secure/security-technologies.md
+++ b/windows/keep-secure/security-technologies.md
@@ -2,64 +2,14 @@
title: Security technologies (Windows 10)
description: Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
ms.assetid: BFE2DE22-B0CE-465B-8CF6-28F64464DF08
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Security technologies
-<<<<<<< HEAD
-Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
-## In this section
-
-
-
-
-
-
-
-
Topic
-
Description
-
-
-
-
-
[AppLocker](applocker-overview.md)
-
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
-
-
-
[BitLocker](bitlocker-overview.md)
-
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-
-
-
[Encrypted Hard Drive](encrypted-hard-drive.md)
-
Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-
-
-
[Windows Defender in Windows 10](windows-defender-in-windows-10.md)
-
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-
-
-
-
-=======
Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
@@ -74,7 +24,7 @@ Learn more about the different security technologies that are available in Windo
| [User Account Control](user-account-control-overview.md)| User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.|
+| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
->>>>>>> master
diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md
index 7f3a82de40..00ae11caf5 100644
--- a/windows/keep-secure/select-types-of-rules-to-create.md
+++ b/windows/keep-secure/select-types-of-rules-to-create.md
@@ -2,77 +2,71 @@
title: Select the types of rules to create (Windows 10)
description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Select the types of rules to create
+
**Applies to**
- Windows 10
+
This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
+
When determining what types of rules to create for each of your groups, you should also determine what enforcement setting to use for each group. Different rule types are more applicable for some apps, depending on the way that the applications are deployed in a specific business group.
+
The following topics provide additional information about AppLocker rules that can help you decide what rules to use for your applications:
+
- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
### Select the rule collection
+
The rules you create will be in one of the following rule collections:
+
- Executable files: .exe and .com
- Windows Installer files: .msi, .msp, and .mst
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
- DLLs: .dll and .ocx
+
By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection is not enabled by default.
+
In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is C:\\Program Files\\Woodgrove\\Teller.exe, and this app needs to be included in a rule. In addition, because this rule is part of a list of allowed applications, all the Windows files under C:\\Windows must be included as well.
+
### Determine the rule condition
+
A rule condition is criteria upon which an AppLocker rule is based and can only be one of the rule conditions in the following table.
-
-
-
-
-
-
-
-
-
Rule condition
-
Usage scenario
-
Resources
-
-
-
-
-
Publisher
-
To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.
-
For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
-
-
-
Path
-
Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).
-
For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
-
-
-
File hash
-
Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.
-
For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).
-
-
-
+
+| Rule condition | Usage scenario | Resources |
+| - | - | - |
+| Publisher | To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.|For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+| Path| Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).| For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). |
+| File hash | Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). |
In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same.
+
### Determine how to allow system files to run
+
Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
+
You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
+
- Traverse Folder/Execute File
- Create Files/Write Data
- Create Folders/Append Data
+
These permissions settings are applied to this folder for application compatibility. However, because any user can create files in this location, allowing apps to be run from this location might conflict with your organization's security policy.
+
## Next steps
+
After you have selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md).
+
After recording your findings for the AppLocker rules to create, you will need to consider how to enforce the rules. For info about how to do this, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md).
-
-
diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md
new file mode 100644
index 0000000000..149730d1a5
--- /dev/null
+++ b/windows/keep-secure/server-isolation-gpos.md
@@ -0,0 +1,31 @@
+---
+title: Server Isolation GPOs (Windows 10)
+description: Server Isolation GPOs
+ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Server Isolation GPOs
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose.
+
+All of the device accounts for devices in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone.
+
+## GPO\_SRVISO
+
+
+This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following changes:
+
+- The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs granted permission include CG\_NAG\_SQL\_Users and CG\_NAG\_SQL\_Computers.
+
+ >**Important:** Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect.
+
+**Next: **[Planning GPO Deployment](planning-gpo-deployment.md)
diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/keep-secure/server-isolation-policy-design-example.md
new file mode 100644
index 0000000000..4d38ed4c99
--- /dev/null
+++ b/windows/keep-secure/server-isolation-policy-design-example.md
@@ -0,0 +1,77 @@
+---
+title: Server Isolation Policy Design Example (Windows 10)
+description: Server Isolation Policy Design Example
+ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Server Isolation Policy Design Example
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section.
+
+In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide additional protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. This includes a requirement to prevent interception of and access to the information when it is in transit over the network.
+
+The information presented by the WGBank front-end servers to the client devices, and the information presented by the WGPartner servers to the remote partner devices, are not considered sensitive for the purposes of the government regulations, because they are processed to remove sensitive elements before transmitting the data to the client devices.
+
+In this guide, the examples show server isolation layered on top of a domain isolation design. If you have an isolated domain, the client devices are already equipped with GPOs that require authentication. You only have to add settings to the isolated server(s) to require authentication on inbound connections, and to check for membership in the NAG. The connection attempt succeeds only if NAG membership is confirmed.
+
+## Server isolation without domain isolation
+
+Server isolation can also be deployed by itself, to only the devices that must participate. The GPO on the server is no different from the one discussed in the previous paragraph for a server in an existing isolated domain. The difference is that you must also deploy a GPO with supporting connection security rules to the clients that must be able to communicate with the isolated server. Because those devices must be members of the NAG, that group can also be used in a security group filter on the client GPO. That GPO must contain rules that support the authentication requirements of the isolated server.
+
+In short, instead of applying the client GPO to all clients in the domain, you apply the GPO to only the members of the NAG.
+
+If you do not have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you do not have an Active Directory domain, you cannot use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules.
+
+## Design requirements
+
+In addition to the protection provided by the firewall rules and domain isolation described in the previous design examples, the network administrators want to implement server isolation to help protect the sensitive data stored on the devices that run SQL Server.
+
+The following illustration shows the traffic protection needs for this design example.
+
+
+
+1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG).
+
+2. All network traffic to and from the SQL Server devices must be encrypted.
+
+3. Client devices or users whose accounts are not members of the NAG cannot access the isolated servers.
+
+**Other traffic notes:**
+
+- All of the design requirements shown in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced.
+
+- All of the design requirements shown in the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section are still enforced.
+
+## Design details
+
+Woodgrove Bank uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the devices on its network.
+
+As in the previously described policy design examples, GPOs to implement the domain isolation environment are linked to the domain container in Active Directory, and then WMI filters and security group filters are attached to GPOs to ensure that the correct GPO is applied to each computer. The following groups were created by using the Active Directory Users and Computers snap-in, and all devices that run Windows were added to the correct groups.
+
+- **CG\_SRVISO\_WGBANK\_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG\_NAG\_SQL\_USERS can access the server, and only when they are using a computer that is a member of the group CG\_NAG\_SQL\_COMPUTERS.
+
+>**Note:** You can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
+
+
+Network access groups (NAGs) are not used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server.
+
+- **CG\_NAG\_SQL\_COMPUTERS**. This network access group contains the computer accounts that are able to access the devices running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client devices from which SQL Server administrators are permitted to work on the servers.
+
+- **CG\_NAG\_SQL\_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server devices that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its devices, and the user accounts for the SQL Server administration team members.
+
+>**Note:** You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity.
+
+If Woodgrove Bank wants to implement server isolation without domain isolation, the CG\_NAG\_SQL\_COMPUTERS group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this, all the devices that are authorized to access the isolated server also have the required connection security rules.
+
+You do not have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption.
+
+**Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/keep-secure/server-isolation-policy-design.md
new file mode 100644
index 0000000000..a2397773da
--- /dev/null
+++ b/windows/keep-secure/server-isolation-policy-design.md
@@ -0,0 +1,54 @@
+---
+title: Server Isolation Policy Design (Windows 10)
+description: Server Isolation Policy Design
+ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Server Isolation Policy Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG).
+
+This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have additional security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. This can be done on a per server basis, or for a group of servers that share common security requirements.
+
+You can implement a server isolation design without using domain isolation. To do this, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the devices that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and devices can access the isolated server are also used to determine which devices receive the GPO.
+
+The design is shown in the following illustration, with arrows that show the permitted communication paths.
+
+
+
+Characteristics of this design include the following:
+
+- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then devices in the boundary zone behave just like other members of the isolated domain in the way that they interact with devices in server isolation zones.
+
+- Isolated servers (area B) - Devices in the server isolation zones restrict access to devices, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access.
+
+- Encryption zone (area C) - If the data being exchanged is sufficiently sensitive, the connection security rules for the zone can also require that the network traffic be encrypted. Encryption zones are most often implemented as rules that are part of a server isolation zone, instead of as a separate zone. The diagram illustrates the concept as a subset for conceptual purposes only.
+
+To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules.
+
+>**Important:** This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.
+
+This design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
+
+For more info about this design:
+
+- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+
+- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
+
+- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+
+- To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
+
+- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
+
+**Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
index 1be3c1bfe6..fb5e5d5cbf 100644
--- a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Windows Defender ATP service onboarding
description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users,
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
index f976f74857..81d0358abb 100644
--- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection settings
description: Use the menu to configure the time zone, suppression rules, and view license information.
keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license, suppression rules
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: DulceMV
---
diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md
index fc101c8428..0c4f6b24a7 100644
--- a/windows/keep-secure/shut-down-the-system.md
+++ b/windows/keep-secure/shut-down-the-system.md
@@ -2,105 +2,101 @@
title: Shut down the system (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Shut down the system
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management, and security considerations for the **Shut down the system** security policy setting.
+
## Reference
+
This security setting determines if a user who is logged on locally to a device can shut down Windows.
+
Shutting down domain controllers makes them unavailable to perform functions such as processing logon requests, processing Group Policy settings, and answering Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles (also known as flexible single master operations or FSMO roles) can disable key domain functionality; for example, processing logon requests for new passwords, which is performed by the primary domain controller (PDC) emulator master.
+
The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancela shutdown.
+
Constant: SeShutdownPrivilege
+
### Possible values
+
- A user-defined list of accounts
- Defaults
- Not defined
+
### Best practices
+
1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers, and that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks will not be negatively affected.
2. The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be very careful about the accounts and groups that you allow to shut down a domain controller.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
By default this setting is Administrators, Backup Operators, Server Operators, and Print Operators on domain controllers, and Administrators and Backup Operators on stand-alone servers.
+
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Administrators
-
Backup Operators
-
Server Operators
-
Print Operators
-
-
-
Stand-Alone Server Default Settings
-
Administrators
-
Backup Operators
-
-
-
Domain Controller Effective Default Settings
-
Administrators
-
Backup Operators
-
Server Operators
-
Print Operators
-
-
-
Member Server Effective Default Settings
-
Administrators
-
Backup Operators
-
-
-
Client Computer Effective Default Settings
-
Administrators
-
Backup Operators
-
Users
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators Backup Operators Server Operators Print Operators|
+| Stand-Alone Server Default Settings | Administrators Backup Operators|
+| Domain Controller Effective Default Settings | Administrators Backup Operators Server Operators Print Operators|
+| Member Server Effective Default Settings | Administrators Backup Operators|
+| Client Computer Effective Default Settings | Administrators Backup Operators Users|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the computer is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
### Group Policy
+
This user right does not have the same effect as **Force shutdown from a remote system**. For more information, see [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md).
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be very careful about which accounts and groups you allow to shut down a domain controller.
+
When a domain controller is shut down, it is no longer available to process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that possess operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which is performed by the PDC master.
+
For other server roles, especially those where non-administrators have rights to log on to the server (such as RD Session Host servers), it is critical that this user right be removed from users that do not have a legitimate reason to restart the servers.
+
### Countermeasure
+
Ensure that only the Administrators and Backup Operators groups are assigned the **Shut down the system** user right on member servers, and ensure that only the Administrators group is assigned the user right on domain controllers.
+
### Potential impact
+
The impact of removing these default groups from the **Shut down the system** user right could limit the delegated abilities of assigned roles in your environment. You should confirm that delegated activities are not adversely affected.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index ad159693ce..bdd15d4040 100644
--- a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -2,87 +2,90 @@
title: Shutdown Allow system to be shut down without having to log on (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Allow system to be shut down without having to log on security policy setting.
ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Shutdown: Allow system to be shut down without having to log on
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting.
+
## Reference
+
This policy setting determines whether a device can be shut down without having to log on to Windows. If you enable this policy setting, the **Shut Down** option is available on the logon screen in Windows. If you disable this policy setting, the **Shut Down** option is removed from the logon screen. This configuration requires that users are able to log on to the device successfully and that they have the **Shut down the system** user right before they can perform a shutdown.
-Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services.
+
+Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
+condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services.
### Possible values
+
- Enabled
+
The shut down command is available on the logon screen.
+
- Disabled
+
The shut down option is removed from the logon screen and users must have the **Shut down the system** user right before they can perform a shutdown.
+
- Not defined
+
### Best practices
+
1. On servers, set this policy to **Disabled**. You must log on to servers to shut them down or restart them.
2. On client devices, set this policy to **Enabled** and define the list of those with the right to shut them down or restart them with the User Rights Assignment policy **Shut down the system**.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Enabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Enabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
For info about the User Rights Assignment policy, **Shut down the system**, see [Shut down the system](shut-down-the-system.md).
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Users who can access the console locally could shut down the device
+
Attackers who have access to the local console could restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable.
+
### Countermeasure
+
Disable the **Shutdown: Allow system to be shut down without having to log on** setting.
+
### Potential impact
+
You must log on to servers to shut them down or restart them.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
index 042254e9c7..83e27c9e00 100644
--- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
@@ -2,85 +2,82 @@
title: Shutdown Clear virtual memory pagefile (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Shutdown: Clear virtual memory pagefile
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.
+
## Reference
+
This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. Virtual memory support uses a system paging file to swap pages of memory to disk when they are not used. On a running device, this paging file is opened exclusively by the operating system, and it is well protected. However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. This confirmation ensures that sensitive information from process memory that might be placed in the paging file is not available to an unauthorized user who manages to directly access the paging file after shutdown.
+
Important information that is kept in real memory might be written periodically to the paging file. This helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This is a time-consuming process, but it can expose data that is cached from RAM to the paging file. A malicious user who has physical access to the server can bypass this countermeasure by simply unplugging the server from its power source.
+
### Possible values
+
- Enabled
+
The system paging file is cleared when the system shuts down normally. Also, this policy setting forces the computer to clear the hibernation file (hiberfil.sys) when hibernation is disabled on a portable device.
+
- Disabled
- Not defined
+
### Best practices
+
- Set this policy to **Enabled**. This causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. For some organizations, this downtime violates their internal service level agreements. Use caution when implementing this countermeasure in your environment.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file.
-**Caution**
-An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.
+
+>**Caution:** An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.
### Countermeasure
+
Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down.
+
### Potential impact
+
It takes longer to shut down and restart the device, especially on devices with large paging files. For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. For some organizations this downtime violates their internal service level agreements. Therefore, use caution before you implement this countermeasure in your environment.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/store-passwords-using-reversible-encryption.md b/windows/keep-secure/store-passwords-using-reversible-encryption.md
index 1d0ae2465b..667eaec2fc 100644
--- a/windows/keep-secure/store-passwords-using-reversible-encryption.md
+++ b/windows/keep-secure/store-passwords-using-reversible-encryption.md
@@ -2,80 +2,71 @@
title: Store passwords using reversible encryption (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.
ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Store passwords using reversible encryption
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.
+
## Reference
+
The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information.
-If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting.
+
+If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
+Information Services (IIS) also requires that you enable this policy setting.
+
### Possible values
- Enabled
- Disabled
- Not defined
+
### Best practices
+
Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
-**Note**
-Do not enable this policy setting unless business requirements outweigh the need to protect password information.
+
+>**Note:** Do not enable this policy setting unless business requirements outweigh the need to protect password information.
### Location
+
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**
+
### Default values
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or Group Policy Object (GPO)
-
Default value
-
-
-
-
-
Default domain policy
-
Disabled
-
-
-
Default domain controller policy
-
Disabled
-
-
-
Stand-alone server default settings
-
Disabled
-
-
-
Domain controller effective default settings
-
Disabled
-
-
-
Member server effective default settings
-
Disabled
-
-
-
Effective GPO default settings on client computers
-
Disabled
-
-
-
+
+| Server type or Group Policy Object (GPO) | Default value |
+| - | - |
+| Default domain policy| Disabled|
+| Default domain controller policy| Disabled|
+| Stand-alone server default settings | Disabled|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers | Disabled|
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Enabling this policy setting allows the operating system to store passwords in a format that can weaken your overall security.
+
### Countermeasure
+
Disable the **Store password using reversible encryption** policy setting.
+
### Potential impact
+
If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers.
+
## Related topics
-[Password Policy](password-policy.md)
-
-
+
+- [Password Policy](password-policy.md)
diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
index ea019eb343..b6b9fd71e5 100644
--- a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -2,7 +2,7 @@
title: Switch PCR banks on TPM 2.0 devices (Windows 10)
description: A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties.
ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -10,6 +10,7 @@ author: brianlic-msft
---
# Switch PCR banks on TPM 2.0 devices
+
**Applies to**
- Windows 10
diff --git a/windows/keep-secure/synchronize-directory-service-data.md b/windows/keep-secure/synchronize-directory-service-data.md
index 4554452349..b562f8a178 100644
--- a/windows/keep-secure/synchronize-directory-service-data.md
+++ b/windows/keep-secure/synchronize-directory-service-data.md
@@ -2,88 +2,89 @@
title: Synchronize directory service data (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting.
ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Synchronize directory service data
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management, and security considerations for the **Synchronize directory service data** security policy setting.
+
## Reference
+
This policy setting determines which users and groups have authority to synchronize all directory service data, regardless of the protection for objects and properties. This privilege is required to use LDAP directory synchronization (dirsync) services. Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers.
+
Constant: SeSyncAgentPrivilege
+
### Possible values
+
- User-defined list of accounts
- Not defined
+
### Best practices
+
- Ensure that no accounts are assigned the **Synchronize directory service data** user right. Only domain controllers need this privilege, which they inherently have.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
By default this setting is not defined on domain controllers and on stand-alone servers.
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Not defined
-
-
-
Domain Controller Effective Default Settings
-
Enabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the device is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
### Group Policy
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
The **Synchronize directory service data** user right affects domain controllers (only domain controllers should be able to synchronize directory service data). Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses.
+
### Countermeasure
+
Ensure that no accounts are assigned the **Synchronize directory service data** user right.
+
### Potential impact
+
None. Not defined is the default configuration.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index 811570c873..0862dc11d1 100644
--- a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -2,82 +2,78 @@
title: System cryptography Force strong key protection for user keys stored on the computer (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the System cryptography Force strong key protection for user keys stored on the computer security policy setting.
ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# System cryptography: Force strong key protection for user keys stored on the computer
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting.
+
## Reference
+
This policy setting determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password.
+
Configuring this policy setting so that users must provide a password every time they use a key (in addition to their domain password) makes it more difficult for a malicious user to access locally-stored user keys, even if the attacker takes control of the user's device and determines their logon password.
+
### Possible values
+
- **User input is not required when new keys are stored and used**
- **User is prompted when the key is first used**
- **User must enter a password each time they use a key**
- Not defined
+
### Best practices
+
- Set this policy to **User must enter a password each time they use a key**. Users must enter their password every time they access a key that is stored on their computer. For example, if users use an S/MIME certificate to digitally sign their email, they will be forced to enter the password for that certificate every time they send a signed email message. For some organizations, the overhead that is caused by using this value might be too high, but they should set the value at a minimum to **User is prompted when the key is first used**.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Not defined
-
-
-
DC Effective Default Settings
-
Not defined
-
-
-
Member Server Effective Default Settings
-
Not defined
-
-
-
Client Computer Effective Default Settings
-
Not defined
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings| Not defined|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
If a user's account is compromised or the user's device is inadvertently left unsecured, the malicious user can use the keys that are stored for the user to access protected resources.
+
### Countermeasure
+
Configure the **System cryptography: Force strong key protection for user keys stored on the computer** setting to **User must enter a password each time they use a key** so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines the logon password.
+
### Potential impact
+
Users must type their password every time they access a key that is stored on their device. For example, if users use an S/MIME certificate to digitally sign their email, they are forced to type the password for that certificate every time they send a signed email message. For some organizations, the overhead that is involved by using this configuration may be too high. At a minimum, this setting should be set to **User is prompted when the key is first used**.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index b762727564..a1a1738dad 100644
--- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -2,125 +2,112 @@
title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing (Windows 10)
description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.
ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
+
**Applies to**
- Windows 10
+
This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.
+
## Reference
-The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the United States federal government.
+
+The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
+United States federal government.
+
**TLS/SSL**
-This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.
+
+This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
+Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.
+
**Encrypting File System (EFS)**
+
For the EFS service, this policy setting supports the 3DES and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. To encrypt file data, by default EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003, Windows Vista, and later, and it uses a DESX algorithm in Windows XP.
+
**Remote Desktop Services (RDS)**
+
For encrypting Remote Desktop Services network communication, this policy setting supports only the Triple DES encryption algorithm.
+
**BitLocker**
+
For BitLocker, this policy setting needs to be enabled before any encryption key is generated.
Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 and later when this policy is enabled are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; BitLocker will prevent the creation or use of recovery passwords on these systems, so recovery keys should be used instead.
+
### Possible values
+
- Enabled
- Disabled
- Not defined
+
### Best practices
+
- For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
### Operating system version differences
+
When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX.
+
When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to versions listed in the following:
-
-
-
-
-
-
-
-
Operating systems
-
Applicability
-
-
-
-
-
Windows 10, Windows 8.1, and Windows Server 2012 R2
-
When created on these operating systems, the recovery password cannot be used on other systems listed in this table.
-
-
-
Windows Server 2012 and Windows 8
-
When created on these operating systems, the recovery key can be used on other systems listed in this table as well.
-
-
-
Windows Server 2008 R2 and Windows 7
-
When created on these operating systems, the recovery key can be used on other systems listed in this table as well.
-
-
-
Windows Server 2008 and Windows Vista
-
When created on these operating systems, the recovery key can be used on other systems listed in this table as well.
-
-
-
+
+| Operating systems | Applicability |
+| - | - |
+| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password cannot be used on other systems listed in this table.|
+| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
You can enable this policy setting to ensure that the device uses the most powerful algorithms that are available for digital encryption, hashing, and signing. Use of these algorithms minimize the risk of compromise of digitally encrypted or signed data by an unauthorized user.
+
### Countermeasure
+
Enable the **System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing** setting.
+
### Potential impact
-Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms.
+
+Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
+uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index ed8f8e7cdb..1f3af1c21c 100644
--- a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -2,83 +2,83 @@
title: System objects Require case insensitivity for non-Windows subsystems (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the System objects Require case insensitivity for non-Windows subsystems security policy setting.
ms.assetid: 340d6769-8f33-4067-8470-1458978d1522
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# System objects: Require case insensitivity for non-Windows subsystems
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting.
+
## Reference
+
This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is not case sensitive; however, the kernel supports case sensitivity for other subsystems, such as Portable Operating System Interface for UNIX (POSIX). Enabling this policy setting enforces case insensitivity for all directory objects, symbolic links, and input/output (I/O) objects, including file objects. Disabling this policy setting does not allow the Win32 subsystem to become case sensitive.
+
Because Windows is case insensitive but the POSIX subsystem will support case sensitivity, if this policy setting is not enforced, it is possible for a user of that subsystem to create a file with the same name as another file but with a different mix of capital letters. That might confuse users when they try to access these files by using normal Win32 tools, because only one of the files will be available.
+
### Possible values
+
- Enabled
+
Case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects.
+
- Disabled
+
Will not allow the Win32 subsystem to become case sensitive.
+
- Not defined
+
### Best practices
+
- Set this policy to **Enabled**. All subsystems will be forced to observe case insensitivity. However, this might confuse users who are familiar with one of the UNIX-based operating systems and are used to a case sensitive operating system.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Enabled
-
-
-
DC Effective Default Settings
-
Enabled
-
-
-
Member Server Effective Default Settings
-
Enabled
-
-
-
Client Computer Effective Default Settings
-
Enabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Because Windows is case insensitive but the POSIX subsystem supports case sensitivity, failure to enable this policy setting makes it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of uppercase and lowercase letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files is available.
+
### Countermeasure
+
Enable the **System objects: Require case insensitivity for non-Windows subsystems** setting.
+
### Potential impact
+
All subsystems are forced to observe case insensitivity. This configuration may confuse users who are familiar with any UNIX-based operating systems that are case sensitive.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index 1aee1c46fa..5be5a462b1 100644
--- a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -2,80 +2,75 @@
title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting.
ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting.
+
## Reference
+
This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. By using this list, processes can locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who are not administrators to read, but not to modify, shared objects that they did not create.
+
### Possible values
+
- Enabled
- Disabled
- Not defined
+
### Best practices
+
- It is advisable to set this policy to **Enabled**.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\ Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Enabled
-
-
-
DC Effective Default Settings
-
Enabled
-
-
-
Member Server Effective Default Settings
-
Enabled
-
-
-
Client Computer Effective Default Settings
-
Enabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled |
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it is possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling **System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)** prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they did not create.
+
### Countermeasure
+
Enable the **System objects: Strengthen default permissions of global system objects (for example, Symbolic Links)** setting.
+
### Potential impact
+
None. This is the default configuration.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/system-settings-optional-subsystems.md b/windows/keep-secure/system-settings-optional-subsystems.md
index 96633aece6..15ec7c1221 100644
--- a/windows/keep-secure/system-settings-optional-subsystems.md
+++ b/windows/keep-secure/system-settings-optional-subsystems.md
@@ -2,81 +2,78 @@
title: System settings Optional subsystems (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the System settings Optional subsystems security policy setting.
ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# System settings: Optional subsystems
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting.
+
## Reference
+
This policy setting determines which subsystems support your applications. You can use this security setting to specify as many subsystems as your environment demands.
+
The subsystem introduces a security risk that is related to processes that can potentially persist across logons. If a user starts a process and then logs out, the next user who logs on to the system might access the process that the previous user started. This is dangerous, because the process started by the first user can retain that user's system user rights; therefore, anything that the second user does using that process is performed with the user rights of the first user. This makes it difficult to trace who creates processes and objects, which is essential for post-security incident forensics.
+
### Possible values
+
- User-defined list of subsystems
- Not defined
+
### Best practices
+
- Set this policy setting to a null value. The default value is **POSIX**, so applications that rely on the POSIX subsystem will no longer run. For example, Microsoft Services for UNIX 3.0 installs an updated version of the POSIX subsystem. Reset this policy setting in Group Policy for any servers that use Services for UNIX 3.0.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
POSIX
-
-
-
DC Effective Default Settings
-
POSIX
-
-
-
Member Server Effective Default Settings
-
POSIX
-
-
-
Client Computer Effective Default Settings
-
POSIX
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | POSIX|
+| DC Effective Default Settings | POSIX|
+| Member Server Effective Default Settings| POSIX|
+| Client Computer Effective Default Settings | POSIX|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE) standard that defines a set of operating system services. The POSIX subsystem is required if the server supports applications that use that subsystem.
+
The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across logons. If a user starts a process and then logs out, there is a potential that the next user who logs on to the computer could access the previous user's process. This would allow the second user to take actions on the process by using the privileges of the first user.
+
### Countermeasure
+
Configure the **System settings: Optional subsystems setting** to a null value. The default value is POSIX.
+
### Potential impact
+
Applications that rely on the POSIX subsystem no longer operate. For example, Microsoft Services for UNIX (SFU) installs an updated version of the POSIX subsystem that is required, so you must reconfigure this setting in Group Policy for any servers that use SFU.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index ce05d099f5..ae25abd015 100644
--- a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -2,80 +2,76 @@
title: System settings Use certificate rules on Windows executables for Software Restriction Policies (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the System settings Use certificate rules on Windows executables for Software Restriction Policies security policy setting.
ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# System settings: Use certificate rules on Windows executables for Software Restriction Policies
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting.
+
## Reference
+
This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. This security setting enables or disables certificate rules (which are a type of software restriction policy). With a software restriction policy, you can create a certificate rule that allows or disallows Microsoft Authenticode®-signed software to run, based on the digital certificate that is associated with the software. For certificate rules to work in software restriction policies, you must enable this security setting.
+
### Possible values
+
- Enabled
- Disabled
- Not defined
+
### Best practices
-- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance. You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
+
+- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
+You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Without the use of software restriction policies, users and device might be exposed to unauthorized software that could include malware.
+
### Countermeasure
+
Enable the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** setting.
+
### Potential impact
+
If you enable certificate rules, software restriction policies check a certificate revocation list (CRL) to verify that the software's certificate and signature are valid. This checking process may negatively affect performance when signed programs start. To disable this feature, you can edit the software restriction policies in the appropriate GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/take-ownership-of-files-or-other-objects.md b/windows/keep-secure/take-ownership-of-files-or-other-objects.md
index 5274e1f278..24ab3257e2 100644
--- a/windows/keep-secure/take-ownership-of-files-or-other-objects.md
+++ b/windows/keep-secure/take-ownership-of-files-or-other-objects.md
@@ -2,98 +2,106 @@
title: Take ownership of files or other objects (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting.
ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Take ownership of files or other objects
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management, and security considerations for the **Take ownership of files or other objects** security policy setting.
+
## Reference
+
This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
+
Every object has an owner, whether the object resides in an NTFS volume or Active Directory database. The owner controls how permissions are set on the object and to whom permissions are granted.
+
By default, the owner is the person who or the process which created the object. Owners can always change permissions to objects, even when they are denied all access to the object.
+
Constant: SeTakeOwnershipPrivilege
+
### Possible values
+
- User-defined list of accounts
- Not defined
+
### Best practices
+
- Assigning this user right can be a security risk. Because owners of objects have full control of them, only assign this user right to trusted users.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
### Default values
+
By default this setting is Administrators on domain controllers and on stand-alone servers.
+
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Administrators
-
-
-
Stand-Alone Server Default Settings
-
Administrators
-
-
-
Domain Controller Effective Default Settings
-
Administrators
-
-
-
Member Server Effective Default Settings
-
Administrators
-
-
-
Client Computer Effective Default Settings
-
Administrators
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
## Policy management
+
This section describes features, tools, and guidance to help you manage this policy.
+
A restart of the device is not required for this policy setting to be effective.
+
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
Ownership can be taken by:
+
- An administrator. By default, the Administrators group is given the **Take ownership of files or other objects** user right.
- Anyone or any group who has the **Take ownership** user right on the object.
- A user who has the **Restore files and directories** user right.
+
Ownership can be transferred in the following ways:
+
- The current owner can grant the **Take ownership** user right to another user if that user is a member of a group defined in the current owner's access token. The user must take ownership to complete the transfer.
- An administrator can take ownership.
- A user who has the **Restore files and directories** user right can double-click **Other users and groups** and choose any user or group to assign ownership to.
+
### Group Policy
+
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
+
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
-Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a denial-of-service condition.
+
+Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
+denial-of-service condition.
+
### Countermeasure
+
Ensure that only the local Administrators group has the **Take ownership of files or other objects** user right.
+
### Potential impact
+
None. Restricting the **Take ownership of files or other objects** user right to the local Administrators group is the default configuration.
+
## Related topics
-[User Rights Assignment](user-rights-assignment.md)
-
-
+
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md
index 09ccf98b7d..fcc3bf2eac 100644
--- a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -2,28 +2,42 @@
title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10)
description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Test an AppLocker policy by using Test-AppLockerPolicy
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
+
The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collections will be blocked on your reference computer or the computer on which you maintain policies. Perform the following steps on any computer where the AppLocker policies are applied.
+
Any user account can be used to complete this procedure.
+
**To test an AppLocker policy by using Test-AppLockerPolicy**
+
1. Export the effective AppLocker policy. To do this, you must use the **Get-AppLockerPolicy** Windows PowerShell cmdlet.
+
1. Open a Windows PowerShell command prompt window as an administrator.
2. Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file:
+
`Get-AppLockerPolicy –Effective –XML > `
+
2. Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed:
+
`Get-ChildItem -Filter -Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy -User -Filter | Export-CSV `
+
The following shows example input for **Test-AppLockerPolicy**:
-`PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml`
-`PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv`
+
+```syntax
+PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml
+PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv
+```
+
In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that will be blocked for the user under the policy.
-
-
diff --git a/windows/keep-secure/test-and-update-an-applocker-policy.md b/windows/keep-secure/test-and-update-an-applocker-policy.md
index 4ae1a87af2..99e46e3022 100644
--- a/windows/keep-secure/test-and-update-an-applocker-policy.md
+++ b/windows/keep-secure/test-and-update-an-applocker-policy.md
@@ -2,37 +2,61 @@
title: Test and update an AppLocker policy (Windows 10)
description: This topic discusses the steps required to test an AppLocker policy prior to deployment.
ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Test and update an AppLocker policy
+
**Applies to**
- Windows 10
+
This topic discusses the steps required to test an AppLocker policy prior to deployment.
+
You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.
+
## Step 1: Enable the Audit only enforcement setting
+
By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
## Step 2: Configure the Application Identity service to start automatically
+
Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure to do this, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied.
+
## Step 3: Test the policy
+
Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PC that are configured to receive your AppLocker policy.
+
The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
## Step 4: Analyze AppLocker events
You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis.
+
**To manually analyze AppLocker events**
+
You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md).
+
**To analyze AppLocker events by using Get-AppLockerFileInformation**
+
You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem.
+
For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you are using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
+
After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names.
+
## Step 5: Modify the AppLocker policy
+
After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md).
+
## Step 6: Repeat policy testing, analysis, and policy modification
+
Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement.
+
## Additional resources
+
- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md
index 810bb44663..e2187af349 100644
--- a/windows/keep-secure/testing-scenarios-for-edp.md
+++ b/windows/keep-secure/testing-scenarios-for-edp.md
@@ -2,10 +2,11 @@
title: Testing scenarios for enterprise data protection (EDP) (Windows 10)
description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
-keywords: ["EDP", "Enterprise Data Protection"]
-ms.prod: W10
+keywords: EDP, Enterprise Data Protection
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md
index ed1080877e..5d2d69ff81 100644
--- a/windows/keep-secure/tools-to-use-with-applocker.md
+++ b/windows/keep-secure/tools-to-use-with-applocker.md
@@ -2,33 +2,52 @@
title: Tools to use with AppLocker (Windows 10)
description: This topic for the IT professional describes the tools available to create and administer AppLocker policies.
ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Tools to use with AppLocker
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes the tools available to create and administer AppLocker policies.
+
The following tools can help you administer the application control policies created by using AppLocker on the local device or by using Group Policy. For info about the basic requirements for using AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
- **AppLocker Local Security Policy MMC snap-in**
+
The AppLocker rules can be maintained by using the Local Security Policy snap-in (secpol.msc) of the Microsoft Management Console (MMC). For procedures to create, modify, and delete AppLocker rules, see [Working with AppLocker rules](working-with-applocker-rules.md).
+
- **Generate Default Rules tool**
+
AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md).
+
- **Automatically Generate AppLocker Rules wizard**
+
By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard will scan the specified folder and create the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md).
+
- **Group Policy**
+
You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC).
+
If you want additional features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack.
+
- **Remote Server Administration Tools (RSAT)**
+
You can use a device with a supported operating system that has the Remote Server Administration Tools (RSAT) installed to create and maintain AppLocker policies.
+
- **Event Viewer**
+
The AppLocker log contains information about applications that are affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
- **AppLocker PowerShell cmdlets**
+
The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
+
## Related topics
-[AppLocker technical reference](applocker-technical-reference.md)
-
-
+
+- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md
index 26e6b4403e..6969c89924 100644
--- a/windows/keep-secure/tpm-fundamentals.md
+++ b/windows/keep-secure/tpm-fundamentals.md
@@ -2,23 +2,34 @@
title: TPM fundamentals (Windows 10)
description: This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# TPM fundamentals
+
**Applies to**
- Windows 10
+
This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
+
A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus.
+
Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.
+
You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
+
Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
+
With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits to process instructions, it does not rely on the operating system, and it is not exposed to vulnerabilities that might exist in the operating system or application software.
+
For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
+
The following sections provide an overview of the technologies that support the TPM:
+
- [TPM-based Virtual Smart Card](#bkmk-vsc)
- [Measured Boot with support for attestation](#bkmk-measuredboot)
- [Automated provisioning and management of the TPM](#bkmk-autoprov)
@@ -32,156 +43,157 @@ The following sections provide an overview of the technologies that support the
- [How the TPM mitigates dictionary attacks](#bkmk-howtpmmitigates)
- [How do I check the state of my TPM?](#bkmk-checkstate)
- [What can I do if my TPM is in reduced functionality mode?](#bkmk-fixrfm)
+
The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
+
## Automated provisioning and management of the TPM
+
TPM provisioning can be streamlined to make it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report **Ready**, **Ready with reduced functionality**, or **Not ready**. You can also automatically provision TPMs in the **Ready** state, remote provisioning to remove the requirement for the physical presence of a technician for the initial deployment. In addition, the TPM stack is available in the Windows Preinstallation Environment (Windows PE).
+
A number of management settings have been added for easier management and configuration of the TPM through Group Policy. The primary new settings include Active Directory-based backup of TPM owner authentication, the level of owner authentication that should be stored locally on the TPM, and the software-based TPM lockout settings for standard users. For more info about backing up owner authentication to Windows Server 2008 R2 AD DS domains, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
## Measured Boot with support for attestation
+
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+
## TPM-based Virtual Smart Card
-The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+
+The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a
+Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+
## TPM-based certificate storage
+
The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx).
+
## TPM Owner Authorization Value
-For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8.
+
+For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object.
+This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8.
+
If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry. Using BitLocker to encrypt the operating system drive will protect the owner authorization value from being disclosed when the computer is at rest, but there is a risk that a malicious user could obtain the TPM owner authorization value when the computer is unlocked. Therefore, we recommend that in this situation you configure your computer to automatically lock after 30 seconds of inactivity. If automatic locking is not used, then you should consider removing full owner authorization from the computer registry.
+
**Registry information**
+
Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
DWORD: OSManagedAuthLevel
-
-
-
-
-
-
-
-
Value Data
-
Setting
-
-
-
-
-
0
-
None
-
-
-
2
-
Delegated
-
-
-
4
-
Full
-
-
-
+
+| Value Data | Setting |
+| - | - |
+| 0 | None|
+| 2 | Delegated|
+| 4 | Full|
-**Note**
-If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
+>**Note:** If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
## TPM Cmdlets
+
If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command:
-**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
+
+`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+
## Physical presence interface
-The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence:
+
+The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the
+TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence:
+
- Activating the TPM
- Clearing the existing owner information from the TPM without the owner’s password
- Deactivating the TPM
- Disabling the TPM temporarily without the owner’s password
+
## States of existence in a TPM
+
For each of these TPM 1.2 states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
+
These states of existence do not apply for Trusted Platform Module 2.0 because it cannot be turned off from within the operating system environment.
-
-
-
-
-
-
-
-
State
-
Description
-
-
-
-
-
Enabled
-
Most features of the TPM are available.
-
The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.
-
-
-
Disabled
-
The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.
-
The TPM can be enabled and disabled multiple times within a start-up period.
-
-
-
Activated
-
Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.
-
-
-
Deactivated
-
Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.
-
-
-
Owned
-
Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.
-
-
-
Unowned
-
The TPM does not have a storage root key, and it may or may not have an endorsement key.
-
-
-
+
+| State | Description |
+| - | - |
+| Enabled| Most features of the TPM are available. The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.|
+| Disabled| The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization. The TPM can be enabled and disabled multiple times within a start-up period. |
+| Activated| Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.|
+| Deactivated| Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.|
+| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.|
+| Unowned| The TPM does not have a storage root key, and it may or may not have an endorsement key.|
-**Important**
-Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.
+>**Important:** Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.
The state of the TPM exists independently of the computer’s operating system. When the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
+
## Endorsement keys
-For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup.
+
+For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the
+TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup.
An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. The existence of an endorsement key is a requirement before TPM ownership can be taken.
+
## Key attestation
+
TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+
## How the TPM mitigates dictionary attacks
+
When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided.
+
TPMs have dictionary attack logic that is designed to prevent brute force attacks that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
+
Because many entities can use the TPM, a single authorization success cannot reset the TPM’s dictionary attack logic. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s dictionary attack logic. Generally TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
+
### TPM 2.0 dictionary attack behavior
+
TPM 2.0 has well defined dictionary attack logic behavior. This is in contrast to TPM 1.2 for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry.
-**Warning**
-For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
+
+>**Warning:** For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
+
Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
+
Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours.
+
The dictionary attack logic for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
+
In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours.
+
TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
+
### Rationale behind the Windows 8.1 and Windows 8 defaults
+
Windows relies on the TPM 2.0 dictionary attack protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
+
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
+
Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
+
Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
+
The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password.
+
## How do I check the state of my TPM?
+
You can check the state of the TPM on a PC by running the Trusted Platform Module snap-in (tpm.msc). The **Status** heading tells you the state of your TPM. The TPM can be in one of the following states: **Ready for use**, **Ready for use, with reduced functionality**, and **Not ready for use**. To take advantage of most of the TPM features in Windows 10, the TPM must be **Ready for use**.
+
## What can I do if my TPM is in reduced functionality mode?
-If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. You can fix this by clearing the TPM.
+
+If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**.
+You can fix this by clearing the TPM.
+
**To clear the TPM**
+
1. Open the Trusted Platform Module snap-in (tpm.msc).
2. Click **Clear TPM**, and then click **Restart.**
3. When the PC is restarting, you might be prompted to press a button on the keyboard to clear the TPM.
4. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
-**Note**
-Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
+
+>**Note:** Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
## Additional resources
-[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
-[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
-[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
-[Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md)
-[TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478)
-[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
-
-
+
+- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
+- [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
+- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+- [Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md)
+- [TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478)
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index b9e5bc42f5..81b6385faf 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -2,76 +2,116 @@
title: TPM recommendations (Windows 10)
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# TPM recommendations
+
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016 Technical Preview
- Windows 10 IoT Core (IoT Core)
+
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
+
## Overview
+
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. It has a security-related crypto-processor that is designed to carry out cryptographic operations in a variety of devices and form factors. It includes multiple physical security mechanisms to help prevent malicious software from tampering with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+
1. Generate, store, use, and protected cryptographic keys,
2. Use TPM technology for platform device authentication by using a unique endorsement key (EK), and
3. Help enhance platform integrity by taking and storing security measurements.
+
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+
TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+
OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
-**Note**
-Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>**Note:** Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## TPM 1.2 vs. 2.0 comparison
+
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
+
## Why TPM 2.0?
+
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
+
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
+
- TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance.
- TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
+
- TPM 2.0 offers a more **consistent experience** across different implementations.
+
- TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary.
- TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end.
+
- While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the system’s main SoC:
+
- On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE).
- For AMD chips, it is the AMD Security Processor
- For ARM chips, it is a Trustzone Trusted Application (TA).
- In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs.
+
## Discrete or firmware TPM?
+
Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
+
From a security standpoint, discrete and firmware share the same characteristics;
+
- Both use hardware based secure execution.
- Both use firmware for portions of the TPM functionality.
- Both are equipped with tamper resistance capabilities.
- Both have unique security limitations/risks.
+
For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
+
## Is there any importance for TPM for consumer?
+
For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
+
## TPM 2.0 Compliance for Windows 10
+
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
+
- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
## Two implementation options:
-• Discrete TPM chip as a separate discrete component
-• Firmware TPM solution using Intel PTT (platform trust technology) or AMD
+
+- Discrete TPM chip as a separate discrete component
+- Firmware TPM solution using Intel PTT (platform trust technology) or AMD
+
### Windows 10 Mobile
+
- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled.
+
### IoT Core
+
- TPM is optional on IoT Core.
+
### Windows Server 2016 Technical Preview
+
- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
+
## TPM and Windows Features
+
The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly.
+
@@ -255,9 +295,11 @@ There are a variety of TPM manufacturers for both discrete and firmware.
## OEM Feedback and Status on TPM 2.0 system availability
+
### Certified TPM parts
+
Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification.
+
### Windows 7 32-bit support
+
Even though Windows 7 shipped before the TPM 2.0 spec or products existed, Microsoft backported TPM 2.0 support to Windows 7 64-bit and released it in summer 2014 as a downloadable Windows hotfix for UEFI based Windows 7 systems. Microsoft is not currently planning to backport support to Windows 7 32-bit support.
-
-
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 9199881438..7db942d7ba 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Troubleshoot Windows Defender ATP onboarding issues
description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service.
keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: iaanw
---
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
index 1d15cf5dd7..8340e9dcc0 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Troubleshoot Windows Defender Advanced Threat Protection
description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
# Troubleshoot Windows Defender Advanced Threat Protection
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
index 24182d9e16..e60c0f663c 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -2,30 +2,41 @@
title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: security
author: jasesso
---
+
# Troubleshoot Windows Defender in Windows 10
+
**Applies to**
- Windows 10
+
IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
+
## Windows Defender client event IDs
+
This section provides the following information about Windows Defender client events:
+
- The text of the message as it appears in the event
- The name of the source of the message
- The symbolic name that identifies each message in the programming source code
- Additional information about the message
+
Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**.
+
**To view a Windows Defender client event**
+
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
+
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
+
Event ID: 1000
@@ -3257,8 +3268,8 @@ article.
+
## Related topics
-[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-
-
+
+- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md
index 02ba8d12dc..e7b6e784ff 100644
--- a/windows/keep-secure/trusted-platform-module-overview.md
+++ b/windows/keep-secure/trusted-platform-module-overview.md
@@ -2,81 +2,75 @@
title: Trusted Platform Module Technology Overview (Windows 10)
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
ms.assetid: face8932-b034-4319-86ac-db1163d46538
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Trusted Platform Module Technology Overview
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
+
## Feature description
+
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+
- Generate, store, and limit the use of cryptographic keys.
- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
- Help ensure platform integrity by taking and storing security measurements.
+
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
+
TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
+
Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site ().
+
Windows can automatically provision and manage the TPM. Group Policy settings can be configured to control whether the TPM owner authorization value is backed up in Active Directory. Because the TPM state persists across operating system installations, TPM information is stored in a location in Active Directory that is separate from computer objects. Depending on an enterprise’s security goals, Group Policy can be configured to allow or prevent local administrators from resetting the TPM’s dictionary attack logic. Standard users can use the TPM, but Group Policy controls limit how many authorization failures standard users can attempt so that one user is unable to prevent other users or the administrator from using the TPM. TPM technology can also be used as a virtual smart card and for secure certificate storage. With BitLocker Network Unlock, domain-joined computers are not prompted for a BitLocker PIN.
+
## Practical applications
+
Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
+
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
+
Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+
The TPM has several Group Policy settings that can be used to manage how it is used. These settings can be used to manage the owner authorization value, the blocked TPM commands, the standard user lockout, and the backup of the TPM to AD DS. For more info, see [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
+
## New and changed functionality
+
For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/trusted-platform-module.md).
+
## Device health attestation
+
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+
Some things that you can check on the device are:
+
- Is Data Execution Prevention supported and enabled?
- Is BitLocker Drive Encryption supported and enabled?
- Is SecureBoot supported and enabled?
-**Note** The device must be running Windows 10 and it must support at least TPM 2.0.
+
+>**Note:** The device must be running Windows 10 and it must support at least TPM 2.0.
## Supported versions
-
-
-
-
-
-
-
-
-
-
-
TPM version
-
Windows 10
-
Windows Server 2012 R2, Windows 8.1, and Windows RT
-
Windows Server 2012, Windows 8, and Windows RT
-
Windows Server 2008 R2 and Windows 7
-
-
-
-
-
TPM 1.2
-
X
-
X
-
X
-
X
-
-
-
TPM 2.0
-
X
-
X
-
X
-
X
-
-
-
-
+
+| TPM version | Windows 10 | Windows Server 2012 R2, Windows 8.1, and Windows RT | Windows Server 2012, Windows 8, and Windows RT | Windows Server 2008 R2 and Windows 7 |
+| - | - | - | - | - |
+| TPM 1.2| X| X| X| X|
+| TPM 2.0| X| X| X| X|
+
## Additional Resources
-[TPM Fundamentals](tpm-fundamentals.md)
-[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
-[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
-[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
-[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
+
+- [TPM Fundamentals](tpm-fundamentals.md)
+- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
index 4b274eecc5..ff626bb1de 100644
--- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@@ -2,230 +2,188 @@
title: TPM Group Policy settings (Windows 10)
description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# TPM Group Policy settings
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+
##
+
The TPM Services Group Policy settings are located at:
+
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-
-
-
-
-
-
-
-
-
-
-
-
Setting
-
Windows 10
-
Windows Server 2012 R2, Windows 8.1 and Windows RT
-
Windows Server 2012, Windows 8 and Windows RT
-
Windows Server 2008 R2 and Windows 7
-
Windows Server 2008 and Windows Vista
-
-
-
-
-
[Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu)
-
X
-
X
-
X
-
X
-
X
-
-
-
[Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)
-
X
-
X
-
X
-
X
-
X
-
-
-
[Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)
-
X
-
X
-
X
-
X
-
X
-
-
-
[Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)
-
X
-
X
-
X
-
X
-
X
-
-
-
[Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)
-
X
-
X
-
X
-
-
-
-
-
[Standard User Lockout Duration](#bkmk-tpmgp-suld)
-
X
-
X
-
X
-
-
-
-
-
[Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)
-
X
-
X
-
X
-
-
-
-
-
[Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)
-
X
-
X
-
X
-
-
-
-
-
+
+| Setting | Windows 10 | Windows Server 2012 R2, Windows 8.1 and Windows RT | Windows Server 2012, Windows 8 and Windows RT | Windows Server 2008 R2 and Windows 7 | Windows Server 2008 and Windows Vista |
+| - | - | - | - | - | - |
+| [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) | X| X| X| X| X|
+| [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)| X| X| X| X| X|
+| [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) | X| X| X| X| X|
+| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X|
+| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| X| X| X|||
+| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X|||
+| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X|||
+| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X||||
### Turn on TPM backup to Active Directory Domain Services
+
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information.
-**Note**
-This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands.
-**Important**
-To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+>**Important:** To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
The TPM cannot be used to provide enhanced security features for BitLocker Drive Encryption and other applications without first setting an owner. To take ownership of the TPM with an owner password, on a local computer at the command prompt, type **tpm.msc** to open the TPM Management Console and select the action to **Initialize TPM**. If the TPM owner information is lost or is not available, limited TPM management is possible by running **tpm.msc**.
+
If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.
+
If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
+
### Configure the list of blocked TPM commands
+
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
-**Note**
-This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is **TPM\_OwnerReadInternalPub**, and command number 170 is **TPM\_FieldUpgrade**. To find the command number that is associated with each TPM command, at the command prompt, type **tpm.msc**to open the TPM Management Console and navigate to the **Command Management** section.
+
If you disable or do not configure this policy setting, only those TPM commands that are specified through the default or local lists can be blocked by Windows. The default list of blocked TPM commands is preconfigured by Windows.
+
- You can view the default list by typing **tpm.msc** at the command prompt, navigating to the **Command Management** section, and exposing the **On Default Block List** column.
- The local list of blocked TPM commands is configured outside of Group Policy by running the TPM Management Console or scripting using the **Win32\_Tpm** interface.
+
For information how to enforce or ignore the default and local lists of blocked TPM commands, see
+
- [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)
- [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)
### Ignore the default list of blocked TPM commands
+
This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
-**Note**
-This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. Also see the related policy setting, [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc).
+
If you enable this policy setting, the Windows operating system will ignore the computer's default list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the local list.
+
If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands.
+
### Ignore the local list of blocked TPM commands
+
This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
-**Note**
-This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) Also see the related policy setting to **Configure the list of blocked TPM commands**.
+
If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list.
+
If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
+
### Configure the level of TPM owner authorization information available to the operating system
+
This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password.
-**Note**
-This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
+
- **Full** This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used.
- **Delegated** This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. When you use this setting, we recommend using external or remote storage for the full TPM owner authorization value—for example, backing up the value in Active Directory Domain Services (AD DS).
- **None** This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
-**Note**
-If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value is automatically backed up to AD DS when it is changed.
+
+>**Note:** If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value is automatically backed up to AD DS when it is changed.
**Registry information**
+
Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
+
DWORD: OSManagedAuthLevel
+
The following table shows the TPM owner authorization values in the registry.
-
-
-
-
-
-
-
-
Value Data
-
Setting
-
-
-
-
-
0
-
None
-
-
-
2
-
Delegated
-
-
-
4
-
Full
-
-
-
+
+| Value Data | Setting |
+| - | - |
+| 0 | None|
+| 2 | Delegated|
+| 4 | Full|
If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
-If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
+
+If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
+configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
+
### Standard User Lockout Duration
-This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM.
-**Note**
-This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require
+authorization to the TPM.
+
+>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption.
+
The number of authorization failures that a TPM allows and how long it stays locked vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time, with fewer authorization failures, depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require that the system is on so enough clock cycles elapse before the TPM exits the lockout mode.
+
This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM.
+
For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
+
- [Standard User Individual Lockout Threshold](#bkmk-individual) This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
- [Standard User Total Lockout Threshold](#bkmk-total) This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+
An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+
If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
+
### Standard User Individual Lockout Threshold
+
This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
-**Note**
-This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM.
+
An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
+
An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+
If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
+
### Standard User Total Lockout Threshold
+
This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
-**Note**
-This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+>**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
+
An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
+
For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization.
+
1. The standard user individual lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM.
2. The standard user total lockout threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM.
-The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption..
+The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features
+such as BitLocker Drive Encryption..
+
The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.
+
An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+
If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
+
## Additional resources
-[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
-[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
-[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
-
-
+
+- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
+- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
new file mode 100644
index 0000000000..758bffcd66
--- /dev/null
+++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -0,0 +1,49 @@
+---
+title: Turn on Windows Firewall and Configure Default Behavior (Windows 10)
+description: Turn on Windows Firewall and Configure Default Behavior
+ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Turn on Windows Firewall and Configure Default Behavior
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+## To enable Windows Firewall and configure the default behavior
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+
+3. For each network location type (Domain, Private, Public), perform the following steps.
+
+ >**Note:** The steps shown here indicate the recommended values for a typical deployment. Use the settings that are appropriate for your firewall design.
+
+ 1. Click the tab that corresponds to the network location type.
+
+ 2. Change **Firewall state** to **On (recommended)**.
+
+ 3. Change **Inbound connections** to **Block (default)**.
+
+ 4. Change **Outbound connections** to **Allow (default)**.
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
index 4f38eca5a6..96a64490d0 100644
--- a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
+++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
@@ -2,7 +2,7 @@
title: Types of attacks for volume encryption keys (Windows 10)
description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/understand-applocker-enforcement-settings.md b/windows/keep-secure/understand-applocker-enforcement-settings.md
index f62646c2e9..a27cfdc9cb 100644
--- a/windows/keep-secure/understand-applocker-enforcement-settings.md
+++ b/windows/keep-secure/understand-applocker-enforcement-settings.md
@@ -2,45 +2,28 @@
title: Understand AppLocker enforcement settings (Windows 10)
description: This topic describes the AppLocker enforcement settings for rule collections.
ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understand AppLocker enforcement settings
+
**Applies to**
- Windows 10
+
This topic describes the AppLocker enforcement settings for rule collections.
+
Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection.
-
-
-
-
-
-
-
-
Enforcement setting
-
Description
-
-
-
-
-
Not configured
-
By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the Not configured value.
-
-
-
Enforce rules
-
Rules are enforced for the rule collection, and all rule events are audited.
-
-
-
Audit only
-
Rule events are audited only. Use this value when planning and testing AppLocker rules.
-
-
-
+
+| Enforcement setting | Description |
+| - | - |
+| Not configured | By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.|
+| Enforce rules | Rules are enforced for the rule collection, and all rule events are audited.|
+| Audit only | Rule events are audited only. Use this value when planning and testing AppLocker rules.|
For the AppLocker policy to be enforced on a device, the Application Identity service must be running. For more info about the Application Identity service, see [Configure the Application Identity service](configure-the-application-identity-service.md).
+
When AppLocker policies from various GPOs are merged, the enforcement modes are merged by using the standard Group Policy order of inheritance, which is local, domain, site, and organizational unit (OU). The Group Policy setting that was last written or applied by order of inheritance is used for the enforcement mode, and all rules from linked GPOs are applied.
-
-
diff --git a/windows/keep-secure/understand-applocker-policy-design-decisions.md b/windows/keep-secure/understand-applocker-policy-design-decisions.md
index ea6833ec44..4c7731bcfc 100644
--- a/windows/keep-secure/understand-applocker-policy-design-decisions.md
+++ b/windows/keep-secure/understand-applocker-policy-design-decisions.md
@@ -2,123 +2,86 @@
title: Understand AppLocker policy design decisions (Windows 10)
description: This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understand AppLocker policy design decisions
+
**Applies to**
- Windows 10
+
This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
+
When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance.
+
You should consider using AppLocker as part of your organization's application control policies if all the following are true:
+
- You have deployed or plan to deploy the supported versions of Windows in your organization. For specific operating system version requirements, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
- You need improved control over the access to your organization's applications and the data your users access.
- The number of applications in your organization is known and manageable.
- You have resources to test policies against the organization's requirements.
- You have resources to involve Help Desk or to build a self-help process for end-user application access issues.
- The group's requirements for productivity, manageability, and security can be controlled by restrictive policies.
+
The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment).
+
### Which apps do you need to control in your organization?
+
You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Control all apps
-
AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
-
-
-
Control specific apps
-
When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
-
-
-
Control only Classic Windows applications, only Universal Windows apps, or both
-
AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.
-
For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.
-
-
-
Control apps by business group and user
-
AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.
-
-
-
Control apps by computer, not user
-
AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.
-
-
-
Understand app usage, but there is no need to control any apps yet
-
AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.
-
-
-
+
+| Possible answers | Design considerations|
+| - | - |
+| Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).|
+| Control specific apps | When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).|
+|Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps. For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.|
+| Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.|
+| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.|
+|Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.|
-**Important**
-The following list contains files or types of files that cannot be managed by AppLocker:
+>**Important:** The following list contains files or types of files that cannot be managed by AppLocker:
+
- AppLocker does not protect against running 16-bit DOS binaries in a NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe.
+
- You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem.
+
- AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros.
- **Important**
- You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
+
+ >**Important:** You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
- AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules.
+
For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
### Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions
+
AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Windows Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are:
+
- All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps.
- Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes.
- Universal Windows apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Universal Windows apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution.
+
AppLocker controls Universal Windows apps and Classic Windows applications by using different rule collections. You have the choice to control Universal Windows apps, Classic Windows applications, or both.
+
For more info, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
### How do you currently control app usage in your organization?
+
Most organizations have evolved app control policies and methods over time. With heightened security concerns and an emphasis on tighter IT control over desktop use, your organization might decide to consolidate app control practices or design a comprehensive application control scheme. AppLocker includes improvements over SRP in the architecture and management of application control policies.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Security polices (locally set or through Group Policy)
-
Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.
-
-
-
Non-Microsoft app control software
-
Using AppLocker requires a complete app control policy evaluation and implementation.
-
-
-
Managed usage by group or OU
-
Using AppLocker requires a complete app control policy evaluation and implementation.
-
-
-
Authorization Manager or other role-based access technologies
-
Using AppLocker requires a complete app control policy evaluation and implementation.
-
-
-
Other
-
Using AppLocker requires a complete app control policy evaluation and implementation.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Security polices (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.|
+| Non-Microsoft app control software | Using AppLocker requires a complete app control policy evaluation and implementation.|
+| Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation.|
+| Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation.|
+| Other | Using AppLocker requires a complete app control policy evaluation and implementation.|
### Which Windows desktop and server operating systems are running in your organization?
+
If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system.
@@ -172,259 +135,94 @@ If your organization supports multiple Windows operating systems, app control po
### Are there specific groups in your organization that need customized application control policies?
+
Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Yes
-
-
For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.
-
If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.
-
-
-
No
-
AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment. If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.|
+| No | AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.|
### Does your IT department have resources to analyze application usage, and to design and manage the policies?
+
The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Yes
-
Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.
-
-
-
No
-
Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.|
+| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. |
### Does your organization have Help Desk support?
+
Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Yes
-
Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications.
-
-
-
No
-
Invest time in developing online support processes and documentation before deployment.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. |
+| No | Invest time in developing online support processes and documentation before deployment. |
+
### Do you know what applications require restrictive policies?
Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Yes
-
You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies.
-
-
-
No
-
You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in Audit only mode, and tools to view the event logs.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. |
+| No | You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.|
### How do you deploy or sanction applications (upgraded or new) in your organization?
+
Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Ad hoc
-
You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.
-
-
-
Strict written policy or guidelines to follow
-
You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules.
-
-
-
No process in place
-
You need to determine if you have the resources to develop an application control policy, and for which groups.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Ad hoc | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.|
+| Strict written policy or guidelines to follow | You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. |
+| No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. |
+
### Does your organization already have SRP deployed?
+
Although SRP and AppLocker have the same goal, AppLocker is a major revision of SRP.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Yes
-
You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.
-
-Note
-
If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.
-
-
-
-
-
-
-
No
-
Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.
**Note:** If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.|
+| No | Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. |
### What are your organization's priorities when implementing application control policies?
+
Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of AppLocker.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Productivity: The organization assures that tools work and required applications can be installed.
-
To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress.
-
-
-
Management: The organization is aware of and controls the apps it supports.
-
In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps
-
-
-
Security: The organization must protect data in part by ensuring that only approved apps are used.
-
AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. |
+| Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps|
+| Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.|
### How are apps currently accessed in your organization?
+
AppLocker is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Users run without administrative rights.
-
Apps are installed by using an installation deployment technology.
-
AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.
-
-Note
-
AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.
-
-
-
-
-
-
-
Users must be able to install applications as needed.
-
Users currently have administrator access, and it would be difficult to change this.
-
Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the Audit only enforcement setting through AppLocker.
-
-
-
+
+| Possible answers | Design considerations |
+| - | - |
+| Users run without administrative rights. | Apps are installed by using an installation deployment technology.|
+| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information. **Note: **AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed.
+| Users currently have administrator access, and it would be difficult to change this.|Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.|
### Is the structure in Active Directory Domain Services based on the organization's hierarchy?
-Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins.
-
-
-
-
-
-
-
-
Possible answers
-
Design considerations
-
-
-
-
-
Yes
-
AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.
-
-
-
No
-
The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.
-
-
-
+
+Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure.
+Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.|
+| No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.|
## Record your findings
+
The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, tyou can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document.
+
- For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md).
- For info about creating your planning document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md).
-
-
diff --git a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index c4438ba57b..fd1d01d9fb 100644
--- a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -2,34 +2,43 @@
title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows 10)
description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understand AppLocker rules and enforcement setting inheritance in Group Policy
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
+
Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into the following collections: executable files, Windows Installer files, scripts, packaged apps and packaged app installers, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy.
+
Group Policy merges AppLocker policy in two ways:
+
- **Rules.** Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO). For example, if the current GPO has 12 rules and a linked GPO has 50 rules, 62 rules are applied to all computers that receive the AppLocker policy.
- **Important**
- When determining whether a file is permitted to run, AppLocker processes rules in the following order:
+ >**Important:** When determining whether a file is permitted to run, AppLocker processes rules in the following order:
+
1. **Explicit deny.** An administrator created a rule to deny a file.
2. **Explicit allow.** An administrator created a rule to allow a file.
3. **Implicit deny.** This is also called the default deny because all files that are not affected by an allow rule are automatically blocked.
- **Enforcement settings.** The last write to the policy is applied. For example, if a higher-level GPO has the enforcement setting configured to **Enforce rules** and the closest GPO has the setting configured to **Audit only**, **Audit only** is enforced. If enforcement is not configured on the closest GPO, the setting from the closest linked GPO will be enforced.
Because a computer's effective policy includes rules from each linked GPO, duplicate rules or conflicting rules could be enforced on a user's computer. Therefore, you should carefully plan your deployment to ensure that only rules that are necessary are present in a GPO.
+
The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs.
+
+
In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced.
+
When constructing the Group Policy architecture for applying AppLocker policies, it is important to remember:
+
- Rule collections that are not configured will be enforced.
- Group Policy does not overwrite or replace rules that are already present in a linked GPO.
- AppLocker processes the explicit deny rule configuration before the allow rule configuration.
- For rule enforcement, the last write to the GPO is applied.
-
-
diff --git a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md
index 225dc8c0c2..a2ec48ffe5 100644
--- a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md
+++ b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md
@@ -2,21 +2,30 @@
title: Understand the AppLocker policy deployment process (Windows 10)
description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understand the AppLocker policy deployment process
+
**Applies to**
- Windows 10
+
This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
+
To successfully deploy AppLocker policies, you need to identify your application control objectives and construct the policies for those objectives. The key to the process is taking an accurate inventory of your organization's applications, which requires investigation of all the targeted business groups. With an accurate inventory, you can create rules and set enforcement criteria that will allow the organization to use the required applications and allow the IT department to manage a controlled set of applications.
+
The following diagram shows the main points in the design, planning, and deployment process for AppLocker.
+
+
## Resources to support the deployment process
+
The following topics contain information about designing, planning, deploying, and maintaining AppLocker policies:
+
- For info about the AppLocker policy design and planning requirements and process, see [AppLocker Design Guide](applocker-policies-design-guide.md).
- For info about the AppLocker policy deployment requirements and process, see [AppLocker deployment guide](applocker-policies-deployment-guide.md).
- For info about AppLocker policy maintenance and monitoring, see [Administer AppLocker](administer-applocker.md).
diff --git a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md
index 30f5de5bcc..b383087281 100644
--- a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -2,52 +2,38 @@
title: Understanding AppLocker allow and deny actions on rules (Windows 10)
description: This topic explains the differences between allow and deny actions on AppLocker rules.
ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding AppLocker allow and deny actions on rules
+
**Applies to**
- Windows 10
+
This topic explains the differences between allow and deny actions on AppLocker rules.
+
## Allow action versus deny action on rules
+
Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied.
+
You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file.
+
### Deny rule considerations
+
Although you can use AppLocker to create a rule to allow all files to run and then use rules to deny specific files, this configuration is not recommended. The deny action is generally less secure than the allow action because a malicious user could modify the file to invalidate the rule. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. The following table details security concerns for different rule conditions with deny actions.
-
-
-
-
-
-
-
-
Rule condition
-
Security concern with deny action
-
-
-
-
-
Publisher
-
A user could modify the properties of a file (for example, re-signing the file with a different certificate).
-
-
-
File hash
-
A user could modify the hash for a file.
-
-
-
Path
-
A user could move the denied file to a different location and run it from there.
-
-
-
+
+| Rule condition | Security concern with deny action |
+| - | - |
+| Publisher | A user could modify the properties of a file (for example, re-signing the file with a different certificate).|
+| File hash | A user could modify the hash for a file.|
+| Path | A user could move the denied file to a different location and run it from there.|
-**Important**
-If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running.
+>**Important:** If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running.
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
-
-
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md
index cf10480b26..b0aa99f22e 100644
--- a/windows/keep-secure/understanding-applocker-default-rules.md
+++ b/windows/keep-secure/understanding-applocker-default-rules.md
@@ -2,62 +2,45 @@
title: Understanding AppLocker default rules (Windows 10)
description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding AppLocker default rules
+
**Applies to**
- Windows 10
+
This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
+
AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
-**Important**
-You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.
+
+>**Important:** You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.
-If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
+If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run.
+The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
+
- Traverse Folder/Execute File
- Create Files/Write Data
- Create Folders/Append Data
+
These permissions settings are applied to this folder for app compatibility. However, because any user can create files in this location, allowing applications to be run from this location might conflict with your organization's security policy.
+
## In this section
-
-
-
-
-
-
-
-
Topic
-
Description
-
-
-
-
-
[Executable rules in AppLocker](executable-rules-in-applocker.md)
-
This topic describes the file formats and available default rules for the executable rule collection.
-
-
-
[Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
-
This topic describes the file formats and available default rules for the Windows Installer rule collection.
-
-
-
[Script rules in AppLocker](script-rules-in-applocker.md)
-
This topic describes the file formats and available default rules for the script rule collection.
-
-
-
[DLL rules in AppLocker](dll-rules-in-applocker.md)
-
This topic describes the file formats and available default rules for the DLL rule collection.
-
-
-
[Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
-
This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
-
-
-
+
+| Topic | Description |
+| - | - |
+| [Executable rules in AppLocker](executable-rules-in-applocker.md) | This topic describes the file formats and available default rules for the executable rule collection. |
+| [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) | This topic describes the file formats and available default rules for the Windows Installer rule collection.|
+| [Script rules in AppLocker](script-rules-in-applocker.md) | This topic describes the file formats and available default rules for the script rule collection.|
+| [DLL rules in AppLocker](dll-rules-in-applocker.md) | This topic describes the file formats and available default rules for the DLL rule collection.|
+| [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This topic explains the AppLocker rule collection for packaged app installers and packaged apps.|
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-applocker-rule-behavior.md b/windows/keep-secure/understanding-applocker-rule-behavior.md
index b065509210..ac18934b5f 100644
--- a/windows/keep-secure/understanding-applocker-rule-behavior.md
+++ b/windows/keep-secure/understanding-applocker-rule-behavior.md
@@ -2,24 +2,29 @@
title: Understanding AppLocker rule behavior (Windows 10)
description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding AppLocker rule behavior
+
**Applies to**
- Windows 10
+
This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
+
If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+
A rule can be configured to use either an allow or deny action:
+
- **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
- **Deny**. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
-**Important**
-You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.
+
+>**Important:** You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
-
-
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md
index 950a47ebfe..b8adef234c 100644
--- a/windows/keep-secure/understanding-applocker-rule-collections.md
+++ b/windows/keep-secure/understanding-applocker-rule-collections.md
@@ -2,28 +2,34 @@
title: Understanding AppLocker rule collections (Windows 10)
description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding AppLocker rule collections
+
**Applies to**
- Windows 10
+
This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
+
An AppLocker rule collection is a set of rules that apply to one of five types:
+
- Executable files: .exe and .com
- Windows Installer files: .msi, mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- DLLs: .dll and .ocx
- Packaged apps and packaged app installers: .appx
+
If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps.
-**Important**
-Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default.
+
+>**Important:** Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default.
For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
+
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
-
-
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-applocker-rule-condition-types.md b/windows/keep-secure/understanding-applocker-rule-condition-types.md
index e6b6e8505a..f00afa16e1 100644
--- a/windows/keep-secure/understanding-applocker-rule-condition-types.md
+++ b/windows/keep-secure/understanding-applocker-rule-condition-types.md
@@ -2,39 +2,55 @@
title: Understanding AppLocker rule condition types (Windows 10)
description: This topic for the IT professional describes the three types of AppLocker rule conditions.
ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding AppLocker rule condition types
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes the three types of AppLocker rule conditions.
+
Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
+
**Publisher**
+
To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+
**Path**
+
Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted). For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+
**File hash**
+
Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is unique to that the version of the file. For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).
+
### Considerations
+
Selecting the appropriate condition for each rule depends on the overall application control policy goals of the organization, the AppLocker rule maintenance goals, and the condition of the existing (or planned) application deployment. The following questions can help you decide which rule condition to use.
+
1. Is the file digitally signed by a software publisher?
+
If the file is signed by a software publisher, we recommend that you create rules with publisher conditions. You may still create file hash and path conditions for signed files. However, if the file is not digitally signed by a software publisher, you can:
+
- Sign the file by using an internal certificate.
- Create a rule by using a file hash condition.
- Create a rule by using a path condition.
- **Note**
- To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory.
+
+ >**Note:** To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example,
+ `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory.
2. What rule condition type does your organization prefer?
+
If your organization is already using Software Restriction Policies (SRP) to restrict what files users can run, rules using file hash or path conditions are probably already in place.
- **Note**
- For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+ >**Note:** For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
-
-
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-applocker-rule-exceptions.md b/windows/keep-secure/understanding-applocker-rule-exceptions.md
index 0a89f17cc7..4cedcfd784 100644
--- a/windows/keep-secure/understanding-applocker-rule-exceptions.md
+++ b/windows/keep-secure/understanding-applocker-rule-exceptions.md
@@ -2,19 +2,24 @@
title: Understanding AppLocker rule exceptions (Windows 10)
description: This topic describes the result of applying AppLocker rule exceptions to rule collections.
ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding AppLocker rule exceptions
+
**Applies to**
- Windows 10
+
This topic describes the result of applying AppLocker rule exceptions to rule collections.
+
You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset.
+
For example, the rule "Allow Everyone to run Windows except Registry Editor" allows everyone in the organization to run Windows but does not allow anyone to run Registry Editor. The effect of this rule would prevent users such as help desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor.
+
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
-
-
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md
index 1be8c8cc55..89a2b1a770 100644
--- a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -2,38 +2,28 @@
title: Understanding the file hash rule condition in AppLocker (Windows 10)
description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding the file hash rule condition in AppLocker
+
**Applies to**
- Windows 10
+
This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
+
File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition.
-
-
-
-
-
-
-
-
File hash condition advantages
-
File hash condition disadvantages
-
-
-
-
-
Because each file has a unique hash, a file hash condition applies to only one file.
-
Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.
-
-
-
+
+| File hash condition advantages | File hash condition disadvantages |
+| - | - |
+| Because each file has a unique hash, a file hash condition applies to only one file. | Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.|
For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
-
-
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md
index 2adb70d6c6..4d4e950a6c 100644
--- a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md
@@ -2,18 +2,24 @@
title: Understanding the path rule condition in AppLocker (Windows 10)
description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding the path rule condition in AppLocker
+
**Applies to**
- Windows 10
+
This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
+
The path condition identifies an application by its location in the file system of the computer or on the network.
+
When creating a rule that uses a deny action, path conditions are less secure than publisher and file hash conditions for preventing access to a file because a user could easily copy the file to a different location than the location specified in the rule. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file under that location will be allowed to run, including within users' profiles. The following table describes the advantages and disadvantages of the path condition.
+
@@ -40,57 +46,22 @@ When creating a rule that uses a deny action, path conditions are less secure th
AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.
+
The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule.
+
AppLocker uses path variables for well-known directories in Windows. Path variables are not environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables.
-
-
-
-
-
-
-
-
-
Windows directory or drive
-
AppLocker path variable
-
Windows environment variable
-
-
-
-
-
Windows
-
%WINDIR%
-
%SystemRoot%
-
-
-
System32
-
%SYSTEM32%
-
%SystemDirectory%
-
-
-
Windows installation directory
-
%OSDRIVE%
-
%SystemDrive%
-
-
-
Program Files
-
%PROGRAMFILES%
-
%ProgramFiles% and %ProgramFiles(x86)%
-
-
-
Removable media (for example, CD or DVD)
-
%REMOVABLE%
-
-
-
-
Removable storage device (for example, USB flash drive)
-
%HOT%
-
-
-
-
+
+| Windows directory or drive | AppLocker path variable | Windows environment variable |
+| - | - | - |
+| Windows | %WINDIR% | %SystemRoot% |
+| System32 | %SYSTEM32%| %SystemDirectory%|
+| Windows installation directory | %OSDRIVE%|%SystemDrive%|
+| Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%|
+| Removable media (for example, CD or DVD) | %REMOVABLE%| |
+| Removable storage device (for example, USB flash drive)| %HOT%|||
For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
-
-
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md
index 053ee2e59c..5e0bca2ee0 100644
--- a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md
@@ -2,18 +2,24 @@
title: Understanding the publisher rule condition in AppLocker (Windows 10)
description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Understanding the publisher rule condition in AppLocker
+
**Applies to**
- Windows 10
+
This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
+
Publisher conditions can be made only for files that are digitally signed; this condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher may be a software development company, such as Microsoft, or the Information Technology department of your organization.
-Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages of the publisher condition.
+Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages
+of the publisher condition.
+
@@ -42,70 +48,42 @@ Publisher conditions are easier to maintain than file hash conditions and are ge
Wildcard characters can be used as values in the publisher rule fields according to the following specifications:
+
- **Publisher**
+
The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) is not a valid wildcard character in this field.
+
- **Product name**
+
The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. A question mark (?) is not a valid wildcard character in this field.
+
- **File name**
+
Either the asterisk (\*) or question mark (?) characters used by themselves represent any and all file names. When combined with any string value, the string is matched with any file name containing that string.
+
- **File version**
+
The asterisk (\*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits:
+
- **Exactly**. The rule applies only to this version of the app
- **And above**. The rule applies to this version and all later versions.
- **And Below**. The rule applies to this version and all earlier versions.
+
The following table describes how a publisher condition is applied.
-
-
-
-
-
-
-
-
Option
-
The publisher condition allows or denies…
-
-
-
-
-
All signed files
-
All files that are signed by a publisher.
-
-
-
Publisher only
-
All files that are signed by the named publisher.
-
-
-
Publisher and product name
-
All files for the specified product that are signed by the named publisher.
-
-
-
Publisher, product name, and file name
-
Any version of the named file for the named product that is signed by the publisher.
-
-
-
Publisher, product name, file name, and file version
-
Exactly
-
The specified version of the named file for the named product that is signed by the publisher.
-
-
-
Publisher, product name, file name, and file version
-
And above
-
The specified version of the named file and any new releases for the product that are signed by the publisher.
-
-
-
Publisher, product name, file name, and file version
-
And below
-
The specified version of the named file and any older versions for the product that are signed by the publisher.
-
-
-
Custom
-
You can edit the Publisher, Product name, File name, and Version fields to create a custom rule.
-
-
-
+
+| Option | The publisher condition allows or denies…|
+| - | - |
+| **All signed files** | All files that are signed by a publisher.|
+| **Publisher only** | All files that are signed by the named publisher.|
+| **Publisher and product name** | All files for the specified product that are signed by the named publisher.|
+| **Publisher, product name, and file name** | Any version of the named file for the named product that is signed by the publisher.|
+| **Publisher, product name, file name, and file version** | **Exactly** The specified version of the named file for the named product that is signed by the publisher.|
+| **Publisher, product name, file name, and file version** | **And above** The specified version of the named file and any new releases for the product that are signed by the publisher.|
+| **Publisher, product name, file name, and file version**| **And below** The specified version of the named file and any older versions for the product that are signed by the publisher.|
+| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, and **Version** fields to create a custom rule.|
For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
## Related topics
-[How AppLocker works](how-applocker-works-techref.md)
-
-
+
+- [How AppLocker works](how-applocker-works-techref.md)
diff --git a/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md
new file mode 100644
index 0000000000..82f6355c8a
--- /dev/null
+++ b/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -0,0 +1,27 @@
+---
+title: Understanding the Windows Firewall with Advanced Security Design Process (Windows 10)
+description: Understanding the Windows Firewall with Advanced Security Design Process
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Understanding the Windows Firewall with Advanced Security Design Process
+
+Designing any deployment starts by performing several important tasks:
+
+- [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+
+- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+
+- [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+
+After you identify your deployment goals and map them to a Windows Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
+
+- [Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+
+- [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+
+**Next:** [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
diff --git a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index 4b888e3d71..90336b381a 100644
--- a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -2,35 +2,46 @@
title: Use a reference device to create and maintain AppLocker policies (Windows 10)
description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Use a reference device to create and maintain AppLocker policies
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
+
## Background and prerequisites
+
An AppLocker reference device is a baseline device you can use to configure policies and can subsequently be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md).
+
An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment.
-**Important**
-The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+>**Important:** The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement setting or Windows PowerShell cmdlets. You can also use the reference device as part of a testing configuration that includes policies that are created by using Software Restriction Policies.
+
## Step 1: Automatically generate rules on the reference device
+
With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md).
-**Note**
-If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules.
+
+>**Note:** If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules.
## Step 2: Create the default rules on the reference device
+
AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For info about default rules and considerations for using them, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md). For the procedure to create default rules, see [Create AppLocker default rules](create-applocker-default-rules.md).
-**Important**
-You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.
+
+>**Important:** You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.
## Step 3: Modify rules and the rule collection on the reference device
+
If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures:
+
- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
@@ -39,25 +50,34 @@ If AppLocker policies are currently running in your production environment, expo
- [Delete an AppLocker rule](delete-an-applocker-rule.md)
- [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
- [Enforce AppLocker rules](enforce-applocker-rules.md)
+
## Step 4: Test and update AppLocker policy on the reference device
+
You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step:
+
- [Test an AppLocker Policy with Test-AppLockerPolicy](http://technet.microsoft.com/library/ee791772(WS.10).aspx)
- [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
-**Caution**
-If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
+
+>**Caution:** If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
## Step 5: Export and import the policy into production
+
When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and checked for its intended effectiveness. To do this, perform the following procedures:
+
- [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
- [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or
- [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
+
If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
+
## Step 6: Monitor the effect of the policy in production
+
If additional refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy:
+
- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
- [Edit an AppLocker policy](edit-an-applocker-policy.md)
- [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
+
## See also
-[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
-
-
+
+- [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 01e857dfe3..17fe40b6a1 100644
--- a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -2,18 +2,26 @@
title: Use AppLocker and Software Restriction Policies in the same domain (Windows 10)
description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Use AppLocker and Software Restriction Policies in the same domain
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
+
## Using AppLocker and Software Restriction Policies in the same domain
-AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored.
+
+AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running
+Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2,
+Windows 7 and later, the SRP policies are ignored.
+
The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker.
diff --git a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md
index 4ccedff7ca..d7cd5120c4 100644
--- a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md
@@ -2,30 +2,51 @@
title: Use the AppLocker Windows PowerShell cmdlets (Windows 10)
description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Use the AppLocker Windows PowerShell cmdlets
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
+
## AppLocker Windows PowerShell cmdlets
-The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
-To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
+
+The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the
+Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
+
+To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the
+Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
+
### Retrieve application information
-The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
+
+The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information.
+
+File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
+
### Set AppLocker policy
+
The [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
+
### Retrieve an AppLocker policy
+
The [Get-AppLockerPolicy](http://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
+
### Generate rules for a given user or group
-The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the list of file information.
+
+The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the
+list of file information.
+
### Test the AppLocker Policy against a file set
+
The [Test-AppLockerPolicy](http://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
+
## Additional resources
+
- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
-
-
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
index dd0fc24f67..717abdaec8 100644
--- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Use the Windows Defender Advanced Threat Protection portal
description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
diff --git a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
index cc7a0adbb4..846f249f82 100644
--- a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
+++ b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
@@ -2,22 +2,33 @@
title: Use Windows Event Forwarding to help with intrusion detection (Windows 10)
description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: tedhardyMSFT
---
+
# Use Windows Event Forwarding to help with intrusion detection
+
**Applies to**
- Windows 10
+
Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
+
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
-To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
+
+To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The
+Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
+
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis.
+
An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner and alert security staff at machine speed.
+
A MapReduce system has a longer retention time (years versus months for an SEM), larger ingress ability (hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and trend analysis, pattern clustering analysis, or apply Machine Learning algorithms.
+
Here's an approximate scaling guide for WEF events:
+
| Events/second range | Data store |
|---------------------|----------------------------|
| 0 - 5,000 | SQL or SEM |
@@ -25,54 +36,91 @@ Here's an approximate scaling guide for WEF events:
| 50,000+ | Hadoop/HDInsight/Data Lake |
Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences.
+
For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb).
-**Note**
-These are only minimum values need to meet what the WEF subscription selects.
+
+>**Note:** These are only minimum values need to meet what the WEF subscription selects.
From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should have access to the Baseline subscription.
+
This means you would create two base subscriptions:
+
- **Baseline WEF subscription**. Events collected from all hosts, this includes some role-specific events, which will only be emitted by those machines.
- **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems.
+
Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
+
In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
+
### Common WEF questions
+
This section addresses common questions from IT pros and customers.
+
### Will the user notice if their machine is enabled for WEF or if WEF encounters an error?
+
The short answer is: No.
+
The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channel logs the success, warning, and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and navigates to that channel, they will not notice WEF either through resource consumption or Graphical User Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance degradation. All success, warning, and failure events are logged to this operational event channel.
+
### Is WEF Push or Pull?
+
A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
+
### Will WEF work over VPN or RAS?
+
WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog of events when the connection to the WEF Collector is re-established.
+
### How is client progress tracked?
-The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription.
+
+The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a
+WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription.
+
### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
+
Yes. WEF is transport agnostic and will work over IPv4 or IPv6.
+
### Are WEF events encrypted? I see an HTTP/HTTPS option!
+
In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with NTLM as a fallback option, which can be disabled by using a GPO). Only the WEF collector can decrypt the connection. Additionally, the connection between WEF client and WEC server is mutually authenticated regardless of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use Kerberos Only.
+
This authentication and encryption is performed regardless if HTTP or HTTPS is selected.
+
The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based mutual authentication is not an option. The SSL certificate and provisioned client certificates are used to provide mutual authentication.
+
### Do WEF Clients have a separate buffer for events?
+
The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
+
When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream.
+
### What format is used for forwarded events?
-WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
+
+WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is
+“Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
+
A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:
+
``` syntax
@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime
Wecutil ss “testSubscription” /cf:Events
```
+
### How frequently are WEF events delivered?
+
Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Ciewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector.
+
This table outlines the built-in delivery options:
-| Event delivery optimization options | Description |
-|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Normal | This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. |
-| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. |
-| Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. |
+
+| Event delivery optimization options | Description |
+| - | - |
+| Normal | This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. |
+| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. |
+| Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. |
For more info about delivery options, see [Configure Advanced Subscription Settings](http://technet.microsoft.com/library/cc749167.aspx).
+
The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements you can set Custom event delivery options for a given subscription from an elevated command prompt:
+
``` syntax
@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime
Wecutil ss “SubscriptionNameGoesHere” /cm:Custom
@@ -82,122 +130,209 @@ Wecutil ss “SubscriptionNameGoesHere” /dmi:1
Wecutil ss “SubscriptionNameGoesHere” /dmlt:10
```
### How do I control which devices have access to a WEF Subscription?
+
For source initiated subscriptions: Each WEF subscription on a WEC server has its own ACL for machine accounts or security groups containing machine accounts (not user accounts) that are explicitly allowed to participate in that subscription or are explicitly denied access. This ACL applies to only a single WEF subscription (since there can be multiple WEF subscriptions on a given WEC server), other WEF Subscriptions have their own separate ACL.
+
For collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is to collect events. This list is managed at the WEC server, and the credentials used for the subscription must have access to read event logs from the WEF Clients – the credentials can be either the machine account or a domain account.
+
### Can a client communicate to multiple WEF Event Collectors?
+
Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access.
+
### What are the WEC server’s limitations?
+
There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC server and no more than 10,000 events/second average event volume.
+
- **Disk I/O**. The WEC server does not process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive.
- **Network Connections**. While a WEF source does not maintain a permanent, persistent connection to the WEC server, it does not immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server.
- **Registry size**. For each unique device that connects to a WEF subscription, there is a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this is not pruned to remove inactive clients this set of registry keys can grow to an unmanageable size over time.
+
- When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards.
- At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions.
- At >100,000 lifetime WEF sources, the registry will not be readable and the WEC server will likely have to be rebuilt.
+
## Subscription information
+
Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix. These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription.
+
### Baseline subscription
+
While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription does not require special configuration on client devices to enable event channels or modify channel permissions.
+
The subscription is essentially a collection of query statements applied to the Event Log. This means that it is modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within that query statement and are not to the entire subscription.
+
### Baseline subscription requirements
+
To gain the most value out of the baseline subscription we recommend to have the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system.
+
- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This ensures that the security event log is generating the required events.
- Apply at least an Audit-Only AppLocker policy to devices.
+
- If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met.
- AppLocker events contain extremely useful information, such as file hash and digital signature information for executables and scripts.
+
- Enable disabled event channels and set the minimum size for modern event files.
- Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
+
The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#bkmk-appendixf).
+
- Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log.
- Security event log Process Create events.
- AppLocker Process Create events (EXE, script, packaged App installation and execution).
- Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
- OS startup and shutdown
+
- Startup event include operating system version, service pack level, QFE version, and boot mode.
+
- Service install
+
- Includes what the name of the service, the image path, and who installed the service.
+
- Certificate Authority audit events
+
- This is only applicable on systems with the Certificate Authority role installed.
- Logs certificate requests and responses.
+
- User profile events
+
- Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind.
+
- Service start failure
+
- Failure codes are localized, so you have to check the message DLL for values.
+
- Network share access events
+
- Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
+
- System shutdown initiate requests
+
- Find out what initiated the restart of a device.
+
- User initiated interactive logoff event
- Remote Desktop Services session connect, reconnect, or disconnect.
- EMET events, if EMET is installed.
- Event forwarding plugin events
+
- For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues.
+
- Network share create and delete
+
- Enables detection of unauthorized share creation.
- **Note** All shares are re-created when the device starts.
+ >**Note:** All shares are re-created when the device starts.
- Logon sessions
+
- Logon success for interactive (local and Remote Interactive/Remote Desktop)
- Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
- Logon success for batch sessions
- Logon session close, which are logoff events for non-network sessions.
+
- Windows Error Reporting (Application crash events only)
+
- This can help detect early signs of intruder not familiar with enterprise environment using targeted malware.
+
- Event log service events
+
- Errors, start events, and stop events for the Windows Event Log service.
+
- Event log cleared (including the Security Event Log)
+
- This could indicate an intruder that are covering their tracks.
+
- Special privileges assigned to new logon
+
- This indicates that at the time of logon a user is either an Administrator or has the sufficient access to make themselves Administrator.
+
- Outbound Remote Desktop Services session attempts
+
- Visibility into potential beachhead for intruder
+
- System time changed
- SMB Client (mapped drive connections)
- Account credential validation
+
- Local accounts or domain accounts on domain controllers
+
- A user was added or removed from the local Administrators security group.
- Crypto API private key accessed
+
- Associated with signing objects using the locally stored private key.
+
- Task Scheduler task creation and delete
+
- Task Scheduler allows intruders to run code at specified times as LocalSystem.
+
- Logon with explicit credentials
+
- Detect credential use changes by intruders to access additional resources.
+
- Smartcard card holder verification events
+
- This detects when a smartcard is being used.
+
### Suspect subscription
+
This adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device.
+
- Logon session creation for network sessions
+
- Enables time-series analysis of network graphs.
+
- RADIUS and VPN events
+
- Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment with remote IP address connecting to the enterprise.
+
- Crypto API X509 object and build chain events
+
- Detects known bad certificate, CA, or sub-CA
- Detects unusual process use of CAPI
+
- Groups assigned to local logon
+
- Gives visibility to groups which enable account wide access
- Allows better planning for remediation efforts
- Excludes well known, built-in system accounts.
+
- Logon session exit
+
- Specific for network logon sessions.
+
- Client DNS lookup events
+
- Returns what process performed a DNS query and the results returned from the DNS server.
+
- Process exit
+
- Enables checking for processes terminating unexpectedly.
+
- Local credential validation or logon with explicit credentials
+
- Generated when the local SAM is authoritative for the account credentials being authenticated.
- Noisy on domain controllers
- On client devices this is only generated when local accounts log on.
+
- Registry modification audit events
+
- Only when a registry value is being created, modified, or deleted.
+
- Wireless 802.1x authentication
+
- Detect wireless connection with a peer MAC address
+
- Windows PowerShell logging
+
- Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell.
- Includes Windows PowerShell remoting logging
+
- User Mode Driver Framework “Driver Loaded” event
+
- Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver.
+
## Appendix A - Minimum recommended minimum audit policy
+
If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.
+
| Category | Subcategory | Audit settings |
|--------------------|---------------------------------|---------------------|
| Account Logon | Credential Validation | Success and Failure |
@@ -232,28 +367,46 @@ If your organizational audit policy enables additional auditing to meet its need
| System | System Integrity | Success and Failure |
## Appendix B - Recommended minimum registry system ACL policy
+
The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user logs into the system.
+
This can easily be extended to other Auto-Execution Start Points keys in the registry.
+
Use the following figures to see how you can configure those registry keys.
-
+
+
+
+
+
## Appendix C - Event channel settings (enable and channel access) methods
+
Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it.
+
The recommended and most effective way to do this is to configure the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device.
+
The following GPO snippet performs the following:
+
- Enables the **Microsoft-Windows-Capi2/Operational** event channel.
- Sets the maximum file size for **Microsoft-Windows-Capi2/Operational** to 100MB.
- Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100MB.
- Sets the maximum channel access for **Microsoft-Windows-Capi2/Operational** to include the built-in Event Log Readers security group.
- Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel.
- Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB.
+
+
## Appendix D - Minimum GPO for WEF Client configuration
+
Here are the minimum steps for WEF to operate:
+
1. Configure the collector URI(s).
2. Start the WinRM service.
3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel.
+
+
## Appendix E – Annotated baseline subscription event query
+
``` syntax
@@ -416,8 +569,11 @@ Here are the minimum steps for WEF to operate:
```
+
## Appendix F – Annotated Suspect Subscription Event Query
+
``` syntax
+
@@ -486,10 +642,10 @@ Here are the minimum steps for WEF to operate:
```
## Appendix G - Online resources
+
You can get more info with the following links:
-- [Event Selection](http://msdn.microsoft.com/library/aa385231(VS.85).aspx)
-- [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427(VS.90).aspx)
-- [Event Query Schema](http://msdn.microsoft.com/library/aa385760(VS.85).aspx)
+
+- [Event Selection](http://msdn.microsoft.com/library/aa385231.aspx)
+- [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427.aspx)
+- [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx)
- [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
-
-
diff --git a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index 9f31ef56eb..7b203c0bcd 100644
--- a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -2,87 +2,83 @@
title: User Account Control Admin Approval Mode for the Built-in Administrator account (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Admin Approval Mode for the Built-in Administrator account security policy setting.
ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Admin Approval Mode for the Built-in Administrator account
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting.
+
## Reference
+
This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account.
When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. By default, this setting is set to **Disabled**.
-**Note**
-If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
+
+>**Note:** If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
### Possible values
+
- Enabled
+
The built-in administrator account logs on in Admin Approval Mode so that any operation that requires elevation of privilege displays a prompt that provides the administrator the option to permit or deny the elevation of privilege.
+
- Disabled
+
The built-in administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges.
+
### Best practices
+
- Do not enable the built-in administrator account on the client computer, but use the standard user account and User Account Control (UAC).
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
One of the risks of the User Account Control (UAC) feature is that it is intended to mitigate malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of the Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways:
+
- If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.
- If the computer is joined to a domain, no local administrator accounts are created. The enterprise or domain administrator must log on to the computer and create a local administrator account if one is warranted.
+
### Countermeasure
+
Enable the **User Account Control: Admin Approval Mode for the Built-in Administrator account** setting if you have the built-in Administrator account enabled.
+
### Potential impact
+
Users who log on by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege.
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index 3215dba248..e80369cae9 100644
--- a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -2,104 +2,118 @@
title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop (Windows 10)
description: Describes the best practices, location, values, and security considerations for the User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting.
ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting.
+
## Reference
+
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user.
-**Note**
-This setting does not change the behavior of the UAC elevation prompt for administrators.
+
+>**Note:** This setting does not change the behavior of the UAC elevation prompt for administrators.
**Background**
+
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
+
Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model.
+
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
-If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege.
+
+If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
+checks before starting an application with UIAccess privilege.
+
1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local computer.
2. The application must be installed in a local folder that is writeable only by administrators, such as the Program Files directory. The allowed directories for UI automation applications are:
+
1. %ProgramFiles% and its subdirectories.
2. %WinDir% and its subdirectories, except a few subdirectories that are excluded because standard users have write access.
+
**Resulting behavior**
+
When this setting is enabled, UIAccess programs (including Windows Remote Assistance) can automatically disable the secure desktop for elevation prompts. Unless you have also disabled elevation prompts, the prompts appear on the interactive user's desktop instead of on the secure desktop. The prompts also appear on the remote administrator's view of the desktop during a Windows Remote Assistance session, and the remote administrator can provide the appropriate credentials for elevation.
+
If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled.
+
### Possible values
+
- Enabled
+
UIA programs can automatically disable the secure desktop for elevation prompts, and unless you have also disabled elevation prompts, the prompts appear on the interactive user's desktop instead of on the secure desktop. Prompts will also appear on the remote administrator's view of the desktop during a Windows Remote Assistance session, and the remote administrator can provide the appropriate credentials for elevation.
+
- Disabled
+
The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
+
### Best practices
+
- Best practices are dependent on your security policies and your remote operational requirements.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+Server type or GPO| Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
### Policy interactions
+
If you plan to enable this setting, you should also review the effect of the [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user. If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but it allows elevation requests to appear on the regular interactive desktop instead of on the secure desktop. This increases the risk that a malicious program could intercept data that is being transferred between the UI and the application. Because UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. To be considered trusted, a UIA program must be digitally signed. By default, UIA programs can be run only from the following protected paths:
+
- ..\\Program Files\\ (and subfolders)
- ..\\Program Files (x86)\\ (and subfolders, in 64-bit versions of Windows only)
- ..\\Windows\\System32\\
+
The requirement to be in a protected path can be disabled by the [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) setting. Although this setting applies to any UIA program, it is used primarily in certain Windows Remote Assistance scenarios.
+
### Countermeasure
+
Disable the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** setting.
+
### Potential impact
+
If a user requests remote assistance from an administrator and the remote assistance session is established, elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator’s session during elevation requests, the user can select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index 2f01c9ecc5..97af8126a3 100644
--- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -2,94 +2,99 @@
title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting.
ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: ws10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting.
+
## Reference
+
This policy setting determines the behavior of the elevation prompt for accounts that have administrative credentials.
+
### Possible values
+
- **Elevate without prompting**
+
Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required.
- **Note**
- Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
+ >**Note:** Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
- **Prompt for credentials on the secure desktop**
+
When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
- **Prompt for consent on the secure desktop**
+
When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+
- **Prompt for credential**s
+
An operation that requires elevation of privilege prompts the administrator to type the user name and password. If the administrator enters valid credentials, the operation continues with the applicable privilege.
+
- **Prompt for consent**
+
An operation that requires elevation of privilege prompts the administrator to select **Permit** or **Deny**. If the administrator selects **Permit**, the operation continues with the administrator's highest available privilege.
+
- **Prompt for consent for non-Windows binaries**
+
This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+
### Best practices
+
- Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Prompt for consent for non-Windows binaries
-
-
-
DC Effective Default Settings
-
Prompt for consent for non-Windows binaries
-
-
-
Member Server Effective Default Settings
-
Prompt for consent for non-Windows binaries
-
-
-
Client Computer Effective Default Settings
-
Prompt for consent for non-Windows binaries
-
-
-
+
+
+| Server type or GPO Default value |
+| - | - |
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
+| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations, and it permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so.
+
### Countermeasure
+
Configure the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** setting to **Prompt for consent**.
+
### Potential impact
+
Administrators should be made aware that they will be prompted for consent when all binaries attempt to run.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 727d8b7ba1..7ca4ce4329 100644
--- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -2,86 +2,88 @@
title: User Account Control Behavior of the elevation prompt for standard users (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for standard users security policy setting.
ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Behavior of the elevation prompt for standard users
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting.
+
## Reference
+
This policy setting determines the behavior of the elevation prompt for standard users.
+
### Possible values
+
- **Automatically deny elevation requests**
+
This option returns an “Access denied” error message to standard users when they try to perform an operation that requires elevation of privilege. Most organizations that run desktops as standard users configure this policy to reduce Help Desk calls.
+
- **Prompt for credentials on the secure desktop**
+
This is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
- **Prompt for credentials**
+
An operation that requires elevation of privilege prompts the user to type an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
### Best practices
+
1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege.
2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Prompt for credentials on the secure desktop
-
-
-
DC Effective Default Settings
-
Prompt for credentials on the secure desktop
-
-
-
Member Server Effective Default Settings
-
Prompt for credentials on the secure desktop
-
-
-
Client Computer Effective Default Settings
-
Prompt for credentials on the secure desktop
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Prompt for credentials on the secure desktop|
+| DC Effective Default Settings | Prompt for credentials on the secure desktop|
+| Member Server Effective Default Settings | Prompt for credentials on the secure desktop|
+| Client Computer Effective Default Settings | Prompt for credentials on the secure desktop|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
One of the risks that the UAC feature tries to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations, and it requires that the user supply administrative credentials for the program to run.
+
### Countermeasure
+
Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account.
+
### Potential impact
+
Users must provide administrative passwords to run programs with elevated privileges. This could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index 067ec3619c..0c372cd6ee 100644
--- a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -2,83 +2,81 @@
title: User Account Control Detect application installations and prompt for elevation (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Detect application installations and prompt for elevation security policy setting.
ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Detect application installations and prompt for elevation
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting.
+
## Reference
+
This policy setting determines the behavior of application installation detection for the entire system.
Some software might attempt to install itself after being given permission to run. The user may give permission for the program to run because the program is trusted. Then the user is prompted to install an unknown component. This security policy provides another way to identify and stop these attempted software installations before they can do damage.
+
### Possible values
+
- **Enabled**
+
Application installation packages that require an elevation of privilege to install are detected and the user is prompted for administrative credentials.
+
- **Disabled**
+
Application installation packages that require an elevation of privilege to install are not detected and the user is not prompted for administrative credentials.
+
### Best practices
+
1. Installer detection is unnecessary when enterprises run standard user desktops that capitalize on delegated installation technologies like Group Policy Software Install (GPSI) or Configuration Manager. Therefore you can set this security policy to **Disabled**.
2. Enable the **User Account Control: Detect application installations and prompt for elevation** setting so standard users must provide administrative credentials before software is installed.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Enabled
-
-
-
DC Effective Default Settings
-
Enabled
-
-
-
Member Server Effective Default Settings
-
Enabled
-
-
-
Client Computer Effective Default Settings
-
Enabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Some malicious software might attempt to install itself after being given permission to run, for example, malicious software with a trusted application shell. The user may give permission for the program to run because the program is trusted. Then the user is prompted to install an unknown component. This policy provides another way to trap the software before it can do damage.
+
### Countermeasure
+
Enable the **User Account Control: Detect application installations and prompt for elevation** setting.
+
### Potential impact
+
Users must provide administrative passwords to install programs.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
index 8da09ab38e..e2e57dd1bd 100644
--- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@@ -1,9 +1,11 @@
---
title: User Account Control Group Policy and registry key settings (Windows 10)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
---
# User Account Control Group Policy and registry key settings
diff --git a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index 7c3f3ccfae..76edee3e01 100644
--- a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -2,87 +2,89 @@
title: User Account Control Only elevate executables that are signed and validated (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate executables that are signed and validated security policy setting.
ms.assetid: 64950a95-6985-4db6-9905-1db18557352d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Only elevate executables that are signed and validated
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting.
+
## Reference
+
This policy setting enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. You can control the apps that are allowed to run through the population of certificates in the local computer's Trusted Publishers store.
+
A trusted publisher is a certificate issuer that the computer’s user has chosen to trust and that has certificate details that have been added to the store of trusted publishers.
+
Windows maintains certificates in certificate stores. These stores can be represented by containers in the file system or the registry, or they can be implemented as physical stores such as smart cards. Certificate stores are associated with the computer object or they are owned by a distinct user who has a security context and profile on that computer. In addition, services can have certificate stores. A certificate store will often contain numerous certificates, possibly issued from a number of different certification authorities (CAs).
When certificate path discovery is initiated, Windows attempts to locate the issuing CA for the certificates, and it builds a certificate path to the trusted root certificate. Intermediate certificates are included as part of the application protocol or are picked up from Group Policy or through URLs that are specified in the Authority Information Access (AIA) extension. When the path is built, each certificate in the path is verified for validity with respect to various parameters, such as name, time, signature, revocation status, and other constraints.
+
### Possible values
+
- **Enabled**
+
Enforces the PKI certificate chain validation of a given executable file before it is permitted to run.
+
- **Disabled**
+
Does not enforce PKI certificate chain validation before a given executable file is permitted to run.
+
### Best practices
+
- Best practices are dependent on your security and performance goals.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Disabled
-
-
-
DC Effective Default Settings
-
Disabled
-
-
-
Member Server Effective Default Settings
-
Disabled
-
-
-
Client Computer Effective Default Settings
-
Disabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Intellectual property, personally identifiable information, and other confidential data are normally manipulated by applications on the computer, and elevated credentials are required to access the information. Users and administrators inherently trust applications that are used with these information sources, and they provide their credentials. If one of these applications is replaced by a rogue application that appears identical to the trusted application, the confidential data could be compromised and the user's administrative credentials would also be compromised.
+
### Countermeasure
+
Enable the **User Account Control: Only elevate executables that are signed and validated**.
+
### Potential impact
+
Enabling this setting requires that you have a PKI infrastructure and that your enterprise administrators have populated the Trusted Publishers store with the certificates for the allowed applications. Some older applications are not signed, and they cannot be used in an environment that is hardened with this setting. You should carefully test your applications in a preproduction environment before implementing this setting.
Control over the applications that are installed on the desktops and the hardware that joins your domain should provide similar protection from the vulnerability that is addressed by this setting. Additionally, the level of protection that is provided by this setting is not an assurance that all rogue applications will be found.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index b79b29a94b..be21f041f5 100644
--- a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -2,103 +2,111 @@
title: User Account Control Only elevate UIAccess applications that are installed in secure locations (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate UIAccess applications that are installed in secure locations security policy setting.
ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting.
+
## Reference
+
This policy setting enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system. Relatively secure locations are limited to the following directories:
+
- \\Program Files\\ including subdirectories
- \\Windows\\system32\\
- \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows
-**Note**
-Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.
+
+>**Note:** Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.
**Background**
+
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
+
Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model.
+
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
+
If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege.
+
1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local device
2. The application must be installed in a local folder that is writeable only by administrators, such as the Program Files directory. The allowed directories for UI automation applications are:
+
1. %ProgramFiles% and its subdirectories.
2. %WinDir% and its subdirectories, except a few subdirectories that are excluded because standard users have write access.
+
### Possible values
+
- **Enabled**
+
An application can start with UIAccess integrity only if it resides in a secure location in the file system.
+
- **Disabled**
+
An application can start with UIAccess integrity even if it does not reside in a secure location in the file system.
+
### Best practices
+
- Set this policy to **Enabled** to permit applications that are located in one of the designated secure directories to run with UIAccess integrity.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Enabled
-
-
-
DC Effective Default Settings
-
Enabled
-
-
-
Member Server Effective Default Settings
-
Enabled
-
-
-
Client Computer Effective Default Settings
-
Enabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they aresaved locally or distributed through Group Policy.
+
### Group Policy
+
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms, but it is not required by most applications. A process that is started with UIAccess rights has the following abilities:
+
- Set the foreground window.
- Drive any application window by using the SendInput function.
- Use read input for all integrity levels by using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.
- Set journal hooks.
- Use AttachThreadInput to attach a thread to a higher integrity input queue.
+
### Countermeasure
+
Enable the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** setting.
+
### Potential impact
+
If the application that requests UIAccess meets the UIAccess setting requirements, computers running at least the Windows Vista operating system start the application with the ability to bypass most of the UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md
index f2eb1a4824..32edfe0160 100644
--- a/windows/keep-secure/user-account-control-overview.md
+++ b/windows/keep-secure/user-account-control-overview.md
@@ -2,24 +2,35 @@
title: User Account Control (Windows 10)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: operate
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control
+
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
+
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
+
UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
+
Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
+
When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device.
+
## Practical applications
+
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
+
## New and changed functionality
+
To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md).
+
## In this section
| Topic | Description |
| - | - |
diff --git a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 0c53ba8b97..61664f5a6e 100644
--- a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -2,86 +2,85 @@
title: User Account Control Run all administrators in Admin Approval Mode (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Run all administrators in Admin Approval Mode security policy setting.
ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Run all administrators in Admin Approval Mode
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
+
## Reference
+
This policy setting determines the behavior of all User Account Control (UAC) policies for the entire system. This is the setting that turns UAC on or off.
+
### Possible values
+
- **Enabled**
+
Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this setting requires restarting the system.
+
- **Disabled**
+
Admin Approval Mode and all related UAC policies are disabled.
- **Note**
- If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
+
+ >**Note:** If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
### Best practices
+
- Enable this policy to allow all other UAC features and policies to function.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Enabled
-
-
-
DC Effective Default Settings
-
Enabled
-
-
-
Member Server Effective Default Settings
-
Enabled
-
-
-
Client Computer Effective Default Settings
-
Enabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
+
### Group Policy
+
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
This is the setting that turns UAC on or off. If this setting is disabled, UAC is not used, and any security benefits and risk mitigations that are dependent on UAC are not present on the computer.
+
### Countermeasure
+
Enable the **User Account Control: Run all users, including administrators, as standard users** setting.
+
### Potential impact
+
Users and administrators must learn to work with UAC prompts and adjust their work habits to use least privilege operations.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-security-policy-settings.md b/windows/keep-secure/user-account-control-security-policy-settings.md
index d1a286bf5e..45bf5fb129 100644
--- a/windows/keep-secure/user-account-control-security-policy-settings.md
+++ b/windows/keep-secure/user-account-control-security-policy-settings.md
@@ -2,66 +2,95 @@
title: User Account Control security policy settings (Windows 10)
description: You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
-ms.pagetype: security
-ms.prod: W10
-ms.mktglfcycl: operate
+ms.prod: w10
+ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control security policy settings
+
**Applies to**
- Windows 10
+
You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
+
## User Account Control: Admin Approval Mode for the Built-in Administrator account
+
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
+
- **Enabled** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
- **Disabled** (Default) The built-in Administrator account runs all applications with full administrative privilege.
+
## User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop
+
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
- **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
- **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+
## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
This policy setting controls the behavior of the elevation prompt for administrators.
+
- **Elevate without prompting** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
- **Note** Use this option only in the most constrained environments.
+
+ >**Note:** Use this option only in the most constrained environments.
- **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
- **Prompt for consent on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- **Prompt for credentials** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- **Prompt for consent** When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- **Prompt for consent for non-Windows binaries** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
## User Account Control: Behavior of the elevation prompt for standard users
+
This policy setting controls the behavior of the elevation prompt for standard users.
+
- **Prompt for credentials** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- **Automatically deny elevation requests** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
- **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
## User Account Control: Detect application installations and prompt for elevation
+
This policy setting controls the behavior of application installation detection for the computer.
+
- **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or System Center Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary.
+
## User Account Control: Only elevate executable files that are signed and validated
+
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
- **Enabled** Enforces the certificate certification path validation for a given executable file before it is permitted to run.
- **Disabled** (Default) Does not enforce the certificate certification path validation before a given executable file is permitted to run.
+
## User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows
-**Note**
-Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+>**Note:** Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.
- **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
- **Disabled** An app runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+
## User Account Control: Turn on Admin Approval Mode
+
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
- **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
- **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+
## User Account Control: Switch to the secure desktop when prompting for elevation
+
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
- **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
- **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
## User Account Control: Virtualize file and registry write failures to per-user locations
+
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
+
- **Enabled** (Default) App write failures are redirected at run time to defined user locations for both the file system and registry.
- **Disabled** Apps that write data to protected locations fail.
-
-
diff --git a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 9475c83eba..85c36101a5 100644
--- a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -2,85 +2,88 @@
title: User Account Control Switch to the secure desktop when prompting for elevation (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Switch to the secure desktop when prompting for elevation security policy setting.
ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Switch to the secure desktop when prompting for elevation
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting.
+
## Reference
+
This policy setting determines whether the elevation request prompts on the interactive user desktop or on the secure desktop.
+
The secure desktop presents the logon UI and restricts functionality and access to the system until the logon requirements are satisfied.
+
The secure desktop’s primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user’s privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain.
+
### Possible values
+
- **Enabled**
+
All elevation requests by default go to the secure desktop.
+
- **Disabled**
+
All elevation requests go to the interactive user desktop.
+
### Best practices
-- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes.
+
+- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
+processes.
+
### Location
+
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Enabled
-
-
-
DC Effective Default Settings
-
Enabled
-
-
-
Member Server Effective Default Settings
-
Enabled
-
-
-
Client Computer Effective Default Settings
-
Enabled
-
-
-
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Elevation prompt dialog boxes can be spoofed, causing users to disclose their passwords to malicious software. Mouse cursors can be spoofed by hiding the real cursor and replacing it with an offset so the cursor is actually pointing to the **Allow** button.
+
### Countermeasure
+
Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes.
+
### Potential impact
+
None. This is the default configuration.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index ffb892226b..8501495c6b 100644
--- a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -2,85 +2,86 @@
title: User Account Control Virtualize file and registry write failures to per-user locations (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Virtualize file and registry write failures to per-user locations security policy setting.
ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Account Control: Virtualize file and registry write failures to per-user locations
+
**Applies to**
- Windows 10
+
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting.
+
## Reference
+
This policy setting enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system. This feature mitigates applications that historically ran as administrator and wrote runtime application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKEY\_LOCAL\_MACHINE\\Software\\.
+
This feature can be disabled for applications on devices running at least Windows Vista because it is unnecessary.
+
### Possible values
+
- **Enabled**
+
Setting this value facilitates the runtime redirection of application write failures to defined user locations for the file system and the registry.
+
- **Disabled**
+
Applications that write data to protected locations fail.
+
### Best practices
+
1. If you run applications that are not Windows Vista-compliant, enable this security policy to prevent the possibility that these older applications could write data to unsecure locations.
2. If you only run at least Windows Vista–compliant applications, this feature is unnecessary so you can disable this policy.
+
### Location
+
\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
### Default values
+
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-
-
-
-
-
-
Server type or GPO
-
Default value
-
-
-
-
-
Default Domain Policy
-
Not defined
-
-
-
Default Domain Controller Policy
-
Not defined
-
-
-
Stand-Alone Server Default Settings
-
Enabled
-
-
-
DC Effective Default Settings
-
Enabled
-
-
-
Member Server Effective Default Settings
-
Enabled
-
-
-
Client Computer Effective Default Settings
-
Enabled
-
-
-
+
+| Server type or GPO | Default value|
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
## Policy management
+
This section describes features and tools that are available to help you manage this policy.
+
### Restart requirement
+
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
### Group Policy
+
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
## Security considerations
+
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
### Vulnerability
+
Earlier applications might not write data to secure locations.
+
### Countermeasure
+
Enable the **User Account Control: Virtualize file and registry write failures to per-user locations** setting.
+
### Potential impact
+
None. This is the default configuration.
+
## Related topics
-[Security Options](security-options.md)
-
-
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/user-rights-assignment.md b/windows/keep-secure/user-rights-assignment.md
index 3e96944b76..59979d3158 100644
--- a/windows/keep-secure/user-rights-assignment.md
+++ b/windows/keep-secure/user-rights-assignment.md
@@ -2,212 +2,75 @@
title: User Rights Assignment (Windows 10)
description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# User Rights Assignment
+
**Applies to**
- Windows 10
+
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item.
-Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc).
+
+Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
+**Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc).
+
For information about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
+
The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.
-
-
-
-
-
-
-
-
Group Policy Setting
-
Constant Name
-
-
-
-
-
[Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md)
-
SeTrustedCredManAccessPrivilege
-
-
-
[Access this computer from the network](access-this-computer-from-the-network.md)
-
SeNetworkLogonRight
-
-
-
[Act as part of the operating system](act-as-part-of-the-operating-system.md)
-
SeTcbPrivilege
-
-
-
[Add workstations to domain](add-workstations-to-domain.md)
-
SeMachineAccountPrivilege
-
-
-
[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md)
-
SeIncreaseQuotaPrivilege
-
-
-
[Allow log on locally](allow-log-on-locally.md)
-
SeInteractiveLogonRight
-
-
-
[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)
-
SeRemoteInteractiveLogonRight
-
-
-
[Back up files and directories](back-up-files-and-directories.md)
[Profile single process](profile-single-process.md)
-
SeProfileSingleProcessPrivilege
-
-
-
[Profile system performance](profile-system-performance.md)
-
SeSystemProfilePrivilege
-
-
-
[Remove computer from docking station](remove-computer-from-docking-station.md)
-
SeUndockPrivilege
-
-
-
[Replace a process level token](replace-a-process-level-token.md)
-
SeAssignPrimaryTokenPrivilege
-
-
-
[Restore files and directories](restore-files-and-directories.md)
-
SeRestorePrivilege
-
-
-
[Shut down the system](shut-down-the-system.md)
-
SeShutdownPrivilege
-
-
-
[Synchronize directory service data](synchronize-directory-service-data.md)
-
SeSyncAgentPrivilege
-
-
-
[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)
-
SeTakeOwnershipPrivilege
-
-
-
+
+| Group Policy Setting | Constant Name |
+| - | - |
+| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
+| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
+| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
+| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
+| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
+| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
+| [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)| SeRemoteInteractiveLogonRight|
+| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
+| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
+| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
+| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
+| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
+| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
+| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
+| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
+| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
+| [Debug programs](debug-programs.md) | SeDebugPrivilege|
+| [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)| SeDenyNetworkLogonRight |
+| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
+| [Deny log on as a service](deny-log-on-as-a-service.md) | SeDenyServiceLogonRight |
+| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
+| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
+| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
+| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
+| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
+| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
+| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
+| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
+| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
+| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
+| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
+| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
+| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
+| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
+| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
+| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
+| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
+| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
+| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
+| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
+| [Restore files and directories](restore-files-and-directories.md) | SeRestorePrivilege |
+| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
+| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
+| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
## Related topics
-[Security policy settings reference](security-policy-settings-reference.md)
-
-
+
+- [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index fe7a396637..a26cffe188 100644
--- a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -2,71 +2,41 @@
title: Using advanced security auditing options to monitor dynamic access control objects (Windows 10)
description: This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Using advanced security auditing options to monitor dynamic access control objects
+
**Applies to**
- Windows 10
+
This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
+
These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](http://technet.microsoft.com/library/hh831542.aspx).
+
## In this guide
+
Domain administrators can create and deploy expression-based security audit policies by using file classification information (resource attributes), user claims, and device claims to target specific users and resources to monitor potentially significant activities on one or more computers. These policies can be deployed centrally by using Group Policy, or directly on a computer, in a folder, or in individual files.
+
## In this section
-
-
-
-
-
-
-
-
Topic
-
Description
-
-
-
-
-
[Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md)
-
This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management.
-
-
-
[Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md)
-
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
-
-
-
[Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md)
-
This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
-
-
-
[Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)
-
This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.
-
-
-
[Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)
-
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.
-
-
-
[Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)
-
This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
-
-
-
[Monitor claim types](monitor-claim-types.md)
-
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
-
-
-
+
+| Topic | Description |
+| - | - |
+| [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md) | This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. |
+| [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md) | This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. |
+| [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)| This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.|
+| [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md) | This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. |
+| [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)| This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. |
+| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. |
+| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. |
+| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.|
-**Important**
-This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
+>**Important:** This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
## Related topics
-[Security auditing](security-auditing-overview.md)
-
-
+
+- [Security auditing](security-auditing-overview.md)
diff --git a/windows/keep-secure/using-event-viewer-with-applocker.md b/windows/keep-secure/using-event-viewer-with-applocker.md
index 304915e207..1b1b80e64f 100644
--- a/windows/keep-secure/using-event-viewer-with-applocker.md
+++ b/windows/keep-secure/using-event-viewer-with-applocker.md
@@ -2,145 +2,61 @@
title: Using Event Viewer with AppLocker (Windows 10)
description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Using Event Viewer with AppLocker
+
**Applies to**
- Windows 10
+
This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
+
The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
+
- Which file is affected and the path of that file
- Which packaged app is affected and the package identifier of the app
- Whether the file or packaged app is allowed or blocked
- The rule type (path, file hash, or publisher)
- The rule name
- The security identifier (SID) for the user or group identified in the rule
+
Review the entries in the Event Viewer to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%).
+
For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
**To review the AppLocker log in Event Viewer**
+
1. Open Event Viewer.
2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, click **AppLocker**.
+
The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
-
-
-
-
-
-
-
-
-
-
Event ID
-
Level
-
Event message
-
Description
-
-
-
-
-
8000
-
Error
-
Application Identity Policy conversion failed. Status <%1>
-
Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.
-
-
-
8001
-
Information
-
The AppLocker policy was applied successfully to this computer.
-
Indicates that the AppLocker policy was successfully applied to the computer.
-
-
-
8002
-
Information
-
<File name> was allowed to run.
-
Specifies that the .exe or .dll file is allowed by an AppLocker rule.
-
-
-
8003
-
Warning
-
<File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
-
Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled.
-
-
-
8004
-
Error
-
<File name> was not allowed to run.
-
Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.
-
-
-
8005
-
Information
-
<File name> was allowed to run.
-
Specifies that the script or .msi file is allowed by an AppLocker rule.
-
-
-
8006
-
Warning
-
<File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
-
Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled.
-
-
-
8007
-
Error
-
<File name> was not allowed to run.
-
Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.
-
-
-
8007
-
Error
-
AppLocker disabled on the SKU.
-
Added in Windows Server 2012 and Windows 8.
-
-
-
8020
-
Information
-
Packaged app allowed.
-
Added in Windows Server 2012 and Windows 8.
-
-
-
8021
-
Information
-
Packaged app audited.
-
Added in Windows Server 2012 and Windows 8.
-
-
-
8022
-
Information
-
Packaged app disabled.
-
Added in Windows Server 2012 and Windows 8.
-
-
-
8023
-
Information
-
Packaged app installation allowed.
-
Added in Windows Server 2012 and Windows 8.
-
-
-
8024
-
Information
-
Packaged app installation audited.
-
Added in Windows Server 2012 and Windows 8.
-
-
-
8025
-
Warning
-
Packaged app installation disabled.
-
Added in Windows Server 2012 and Windows 8.
-
-
-
8027
-
Warning
-
No Packaged app rule configured.
-
Added in Windows Server 2012 and Windows 8.
-
-
-
+
+| Event ID | Level | Event message | Description |
+| - | - | - | - |
+| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.|
+| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
+| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
+| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
+| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.|
+| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
+| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
+| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.|
+| 8007| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
+| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.|
+| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
+| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.|
+| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.|
+| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.|
+| 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.|
+| 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.|
## Related topics
-[Tools to use with AppLocker](tools-to-use-with-applocker.md)
+
+- [Tools to use with AppLocker](tools-to-use-with-applocker.md)
diff --git a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md
index e07957331b..8a427064fb 100644
--- a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md
+++ b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md
@@ -2,76 +2,60 @@
title: Use Software Restriction Policies and AppLocker policies (Windows 10)
description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Use Software Restriction Policies and AppLocker policies
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
+
## Understand the difference between SRP and AppLocker
+
You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md).
+
## Use SRP and AppLocker in the same domain
+
SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they are applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
-**Important**
-As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.
+
+>**Important:** As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.
The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO.
-
-
-
-
-
-
-
-
-
-
Operating system
-
Tellers GPO with AppLocker policy
-
Tellers GPO with SRP
-
Tellers GPO with AppLocker policy and SRP
-
-
-
-
-
Windows 10, Windows 8.1, Windows 8,and Windows 7
-
AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.
-
Local AppLocker policies supersede policies generated by SRP that are applied through the GPO.
-
AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.
-
-
-
Windows Vista
-
AppLocker policies are not applied.
-
Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.
-
Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.
-
-
-
Windows XP
-
AppLocker policies are not applied.
-
Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.
-
Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.
-
-
-
+
+| Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP |
+| - | - | - | - |
+| Windows 10, Windows 8.1, Windows 8,and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.|
+| Windows Vista| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.|
+| Windows XP| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.|
-**Note**
-For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+>**Note:** For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
## Test and validate SRPs and AppLocker policies that are deployed in the same environment
+
Because SRPs and AppLocker policies function differently, they should not be implemented in the same GPO. This makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools.
+
### Step 1: Test the effect of SRPs
+
You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRPs by using GPOs.
+
### Step 2: Test the effect of AppLocker policies
+
You can test AppLocker policies by using Windows PowerShell cmdlets. For info about investigating the result of a policy, see:
+
- [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
Another method to use when determining the result of a policy is to set the enforcement mode to **Audit only**. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For info about using the **Audit only** mode, see:
-[Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
-[Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+
+- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+
## See also
-[AppLocker deployment guide](applocker-policies-deployment-guide.md)
-
-
+
+- [AppLocker deployment guide](applocker-policies-deployment-guide.md)
diff --git a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md
new file mode 100644
index 0000000000..44e4ba7803
--- /dev/null
+++ b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md
@@ -0,0 +1,65 @@
+---
+title: Verify That Network Traffic Is Authenticated (Windows 10)
+description: Verify That Network Traffic Is Authenticated
+ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Verify That Network Traffic Is Authenticated
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot.
+
+In these procedures, you confirm that the rules you deployed are working correctly. Your next steps depend on which zone you are working on:
+
+- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, devices on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules are not working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm is not included in a security method combination on the clients, then those clients cannot successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they are working as expected without risking a loss of communications.
+
+- **Boundary zone.** Confirming correct operation of IPsec is the last step if you are working on the boundary zone GPO. You do not convert the GPO to require mode at any time.
+
+- **Encryption zone.** Similar to the main isolation zone, after you confirm that the network traffic to zone members is properly authenticated and encrypted, you must convert your zone rules from request mode to require mode.
+
+>**Note:** In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from . Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
+
+
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+## To verify that network connections are authenticated by using the Windows Firewall with Advanced Security console
+
+1. Open the Windows Firewall with Advanced Security console.
+
+2. In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**.
+
+ The details pane displays the rules currently in effect on the device.
+
+3. **To display the Rule Source column**
+
+ 1. In the **Actions** pane, click **View**, and then click **Add/Remove Columns**.
+
+ 2. In the **Available columns** list, select **Rule Source**, and then click **Add**.
+
+ 3. Use the **Move up** and **Move down** buttons to rearrange the order. Click **OK** when you are finished.
+
+ It can take a few moments for the list to be refreshed with the newly added column.
+
+4. Examine the list for the rules from GPOs that you expect to be applied to this device.
+
+ >**Note:** If the rules do not appear in the list, then troubleshoot the GPO security group and the WMI filters that are applied to the GPO. Make sure that the local device is a member of the appropriate groups and meets the requirements of the WMI filters.
+5. In the navigation pane, expand **Security Associations**, and then click **Main Mode**.
+
+ The current list of main mode associations that have been negotiated with other devices appears in the details column.
+
+6. Examine the list of main mode security associations for sessions between the local device and the remote device. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with additional details about the security association.
+
+7. In the navigation pane, click **Quick mode**.
+
+8. Examine the list of quick mode security associations for sessions between the local device and the remote device. Make sure that the **AH Integrity**, **ESP integrity**, and **ESP Confidentiality** columns contain expected values.
diff --git a/windows/keep-secure/view-the-security-event-log.md b/windows/keep-secure/view-the-security-event-log.md
index 3c67e1191b..388d32ddc8 100644
--- a/windows/keep-secure/view-the-security-event-log.md
+++ b/windows/keep-secure/view-the-security-event-log.md
@@ -2,19 +2,22 @@
title: View the security event log (Windows 10)
description: The security log records each event as defined by the audit policies you set on each object.
ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# View the security event log
+
**Applies to**
- Windows 10
+
The security log records each event as defined by the audit policies you set on each object.
+
**To view the security log**
+
1. Open Event Viewer.
2. In the console tree, expand **Windows Logs**, and then click **Security**. The results pane lists individual security events.
3. If you want to see more details about a specific event, in the results pane, click the event.
-
-
diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md
index 6f336cc6e6..77c548ec2a 100644
--- a/windows/keep-secure/vpn-profile-options.md
+++ b/windows/keep-secure/vpn-profile-options.md
@@ -2,10 +2,10 @@
title: VPN profile options (Windows 10)
description: Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: networking
+ms.pagetype: security, networking
author: jdeckerMS
---
diff --git a/windows/keep-secure/what-is-applocker.md b/windows/keep-secure/what-is-applocker.md
index cfa573d478..c3b47e88d5 100644
--- a/windows/keep-secure/what-is-applocker.md
+++ b/windows/keep-secure/what-is-applocker.md
@@ -2,18 +2,24 @@
title: What Is AppLocker (Windows 10)
description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# What Is AppLocker?
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
+
AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
+
Using AppLocker, you can:
+
- Control the following types of apps: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), and packaged apps and packaged app installers (appx).
- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
- Assign a rule to a security group or an individual user.
@@ -21,11 +27,17 @@ Using AppLocker, you can:
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten.
- Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets.
+
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved apps
+
For information about the application control scenarios that AppLocker addresses, see [AppLocker policy use scenarios](applocker-policy-use-scenarios.md).
+
## What features are different between Software Restriction Policies and AppLocker?
+
**Feature differences**
+
The following table compares AppLocker to Software Restriction Policies.
+
@@ -99,6 +111,7 @@ The following table compares AppLocker to Software Restriction Policies.
**Application control function differences**
+
The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
@@ -167,6 +180,7 @@ The following table compares the application control functions of Software Restr
## Related topics
-[AppLocker technical reference](applocker-technical-reference.md)
+
+- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index 35a67350b8..4428ed173d 100644
--- a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -2,25 +2,30 @@
title: Which editions of Windows support advanced audit policy configuration (Windows 10)
description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Which editions of Windows support advanced audit policy configuration
+
**Applies to**
- Windows 10
+
This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
+
Versions of the Windows operating system that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions.
+
## Are there any special considerations?
+
In addition, the following special considerations apply to the various tasks associated with advanced security auditing enhancements:
+
- **Creating an audit policy.** To create an advanced security auditing policy, you must use a computer running any supported version of Windows. You can use the Group Policy Management Console (GPMC) on a computer running a supported version of the Windows client operating system after installing the Remote Server Administration Tools.
- **Applying audit policy settings.** If you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running any supported version of the Windows server operating system or Windows client operating system. In addition, only computers running any of these supported operating systems can provide "reason for access" reporting data.
- **Developing an audit policy model.** To plan advanced security audit settings and global object access settings, you must use the GPMC that targets a domain controller running a supported version of the Windows server operating system.
-- **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system. However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system.
-**Important**
-Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
-
-
-
+- **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system.
+However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system.
+
+>**Important:** Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
index 5afeb6f914..21d3ce97d3 100644
--- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@@ -3,7 +3,7 @@ title: Why a PIN is better than a password (Windows 10)
description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
keywords: pin, security, password
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md
index 510675e4ff..30f130d499 100644
--- a/windows/keep-secure/windows-10-enterprise-security-guides.md
+++ b/windows/keep-secure/windows-10-enterprise-security-guides.md
@@ -2,10 +2,10 @@
title: Enterprise security guides (Windows 10)
description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: security, devices
author: challum
---
diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md
index 1008003440..16389caf95 100644
--- a/windows/keep-secure/windows-10-mobile-security-guide.md
+++ b/windows/keep-secure/windows-10-mobile-security-guide.md
@@ -3,10 +3,10 @@ title: Windows 10 Mobile security guide (Windows 10)
description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205
keywords: data protection, encryption, malware resistance, smartphone, device, Windows Store
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security; mobile
+ms.pagetype: security, mobile
author: AMeeus
---
diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md
index 2c0402513c..bb757267bb 100644
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@@ -3,7 +3,7 @@ title: Windows 10 security overview (Windows 10)
description: This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features.
ms.assetid: 4561D80B-A914-403C-A17C-3BE6FC95B59B
keywords: configure, feature, file encryption
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
index 9567620fcb..bae239bf1c 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection - Windows Defender
description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence
search.product: eADQiWindows 10XVcnh
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: mjcaparas
---
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index 72d8554def..2dc00afede 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -2,7 +2,7 @@
title: Windows Defender in Windows 10 (Windows 10)
description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
new file mode 100644
index 0000000000..23f9e3d1c0
--- /dev/null
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -0,0 +1,666 @@
+---
+title: Windows Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
+description: Windows Firewall with Advanced Security Administration with Windows PowerShell
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows Firewall with Advanced Security Administration with Windows PowerShell
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows.
+
+You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
+
+In future versions of Windows, Microsoft might remove the netsh functionality for Windows Firewall with Advanced Security. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Firewall with Advanced Security.
+
+Windows PowerShell and netsh command references are at the following locations.
+
+- [Netsh Commands for Windows Firewall with Advanced Security](http://technet.microsoft.com/library/cc771920)
+
+## Scope
+
+This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide.
+
+## Audience and user requirements
+
+This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Firewall with Advanced Security, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
+
+## In this topic
+
+| Section | Description |
+| - | - |
+| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior|
+| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
+| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
+| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
+| [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation|
+| [Additional resources](#additional-resources) | More information about Windows PowerShell|
+
+## Set profile global defaults
+
+Global defaults set the device behavior in a per-profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles.
+
+### Enable Windows Firewall
+
+Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain device:
+
+**Netsh**
+
+``` syntax
+netsh advfirewall set allprofiles state on
+```
+
+**Windows PowerShell**
+
+``` syntax
+Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
+```
+
+### Control firewall behavior
+
+The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security console.
+
+The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
+netsh advfirewall set allprofiles settings inboundusernotification enable
+netsh advfirewall set allprofiles settings unicastresponsetomulticast enable
+netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
+```
+
+Windows PowerShell
+
+``` syntax
+Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
+```
+
+## Deploy basic firewall rules
+
+This section provides scriptlet examples for creating, modifying, and deleting firewall rules.
+
+### Create firewall rules
+
+Adding a firewall rule in Windows PowerShell looks a lot like it did in Netsh, but the parameters and values are specified differently.
+
+Here is an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local device, and it becomes effective immediately.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= %SystemRoot%\System32\tlntsvr.exe remoteip=localsubnet action=allow
+```
+
+Windows PowerShell
+
+``` syntax
+New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
+```
+
+The following scriptlet shows how to add a basic firewall rule that blocks outbound traffic from a specific application and local port to a Group Policy Object (GPO) in Active Directory. In Windows PowerShell, the policy store is specified as a parameter within the **New-NetFirewall** cmdlet. In Netsh, you must first specify the GPO that the commands in a Netsh session should modify. The commands you enter are run against the contents of the GPO, and this remains in effect until the Netsh session is ended or until another set store command is executed.
+
+Here, **domain.contoso.com** is the name of your Active Directory Domain Services (AD DS), and **gpo\_name** is the name of the GPO that you want to modify. Quotation marks are required if there are any spaces in the GPO name.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall set store gpo=domain.contoso.com\gpo_name
+netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program=%SystemRoot%\System32\telnet.exe protocol=tcp localport=23 action=block
+```
+
+Windows PowerShell
+
+``` syntax
+New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name
+```
+
+### GPO Caching
+
+To reduce the burden on busy domain controllers, Windows PowerShell allows you to load a GPO to your local session, make all your changes in that session, and then save it back at all once.
+
+The following performs the same actions as the previous example (by adding a Telnet rule to a GPO), but we do so leveraging GPO caching in PowerShell. Changing the GPO by loading it onto your local session and using the *-GPOSession* parameter are not supported in Netsh
+
+Windows PowerShell
+
+``` syntax
+$gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name
+New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo
+Save-NetGPO –GPOSession $gpo
+```
+
+Note that this does not batch your individual changes, it loads and saves the entire GPO at once. So if any other changes are made by other administrators, or in a different Windows PowerShell window, saving the GPO overwrites those changes.
+
+### Modify an existing firewall rule
+
+When a rule is created, Netsh and Windows PowerShell allow you to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell this is specified with the *-Name* parameter).
+
+For example, you could have a rule **Allow Web 80** that enables TCP port 80 for inbound unsolicited traffic. You can change the rule to match a different remote IP address of a Web server whose traffic will be allowed by specifying the human-readable, localized name of the rule.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2
+```
+
+Windows PowerShell
+
+``` syntax
+Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2
+```
+
+Netsh requires you to provide the name of the rule for it to be changed and we do not have an alternate way of getting the firewall rule. In Windows PowerShell, you can query for the rule using its known properties.
+
+When you run `Get-NetFirewallRule`, you may notice that common conditions like addresses and ports do not appear. These conditions are represented in separate objects called Filters. As shown before, you can set all the conditions in New-NetFirewallRule and Set-NetFirewallRule. If you want to query for firewall rules based on these fields (ports, addresses, security, interfaces, services), you will need to get the filter objects themselves.
+
+You can change the remote endpoint of the **Allow Web 80** rule (as done previously) using filter objects. Using Windows PowerShell you query by port using the port filter, then assuming additional rules exist affecting the local port, you build with further queries until your desired rule is retrieved.
+
+In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell’s ability to pipeline inputs.
+
+Windows PowerShell
+
+``` syntax
+Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
+```
+
+You can also query for rules using the wildcard character. The following example returns an array of firewall rules associated with a particular program. The elements of the array can be modified in subsequent `Set-NetFirewallRule` cmdlets.
+
+Windows PowerShell
+
+``` syntax
+Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule
+```
+
+Multiple rules in a group can be simultaneously modified when the associated group name is specified in a Set command. You can add firewall rules to specified management groups in order to manage multiple rules that share the same influences.
+
+In the following example, we add both inbound and outbound Telnet firewall rules to the group **Telnet Management**. In Windows PowerShell, group membership is specified when the rules are first created so we re-create the previous example rules. Adding rules to a custom rule group is not possible in Netsh.
+
+Windows PowerShell
+
+``` syntax
+New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
+New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
+```
+
+If the group is not specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You cannot specify the group using `Set-NetFirewallRule` since the command allows querying by rule group.
+
+Windows PowerShell
+
+``` syntax
+$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet”
+$rule.Group = “Telnet Management”
+$rule | Set-NetFirewallRule
+```
+
+Using the `Set` command, if the rule group name is specified, the group membership is not modified but rather all rules of the group receive the same modifications indicated by the given parameters.
+
+The following scriptlet enables all rules in a predefined group containing remote management influencing firewall rules.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall firewall set rule group="windows firewall remote management" new enable=yes
+```
+
+Windows PowerShell
+
+``` syntax
+Set-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” –Enabled True
+```
+
+There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule.
+
+Windows PowerShell
+
+``` syntax
+Enable-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” -Verbose
+```
+
+### Delete a firewall rule
+
+Rule objects can be disabled so that they are no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the device.
+
+The following cmdlet deletes the specified existing firewall rule from the local policy store.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall firewall delete rule name=“Allow Web 80”
+```
+
+Windows PowerShell
+
+``` syntax
+Remove-NetFirewallRule –DisplayName “Allow Web 80”
+```
+
+Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the device.
+
+Windows PowerShell
+
+``` syntax
+Remove-NetFirewallRule –Action Block
+```
+
+Note that it may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how you can view all the blocking firewall rules, and then delete the first four rules.
+
+Windows PowerShell
+
+``` syntax
+$x = Get-NetFirewallRule –Action Block
+$x
+$x[0-3] | Remove-NetFirewallRule
+```
+
+## Manage remotely
+
+Remote management using WinRM is enabled by default. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default.
+
+The following example returns all firewall rules of the persistent store on a device named **RemoteDevice**.
+
+Windows PowerShell
+
+``` syntax
+Get-NetFirewallRule –CimSession RemoteDevice
+```
+
+We can perform any modifications or view rules on remote devices by simply using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote device.
+
+Windows PowerShell
+
+``` syntax
+$RemoteSession = New-CimSession –ComputerName RemoteDevice
+Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm
+```
+
+## Deploy basic IPsec rule settings
+
+An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
+
+Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
+
+In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
+
+
+
+### Create IPsec rules
+
+The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the console under Customize IPsec Defaults.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall set store gpo=domain.contoso.com\gpo_name
+netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout
+```
+
+Windows PowerShell
+
+``` syntax
+New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name
+```
+
+### Add custom authentication methods to an IPsec rule
+
+If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](http://technet.microsoft.com/library/cc757847(WS.10).aspx) .
+
+You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
+
+
+
+In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall set store gpo=domain.contoso.com\gpo_name
+netsh advfirewall consec add rule name="Require Outbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des
+```
+
+Windows PowerShell
+
+``` syntax
+$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3
+$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name
+New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name
+```
+
+### IKEv2 IPsec transport rules
+
+A corporate network may need to secure communications with another agency. But, you discover the agency runs non-Windows operating systems and requires the use of the Internet Key Exchange Version 2 (IKEv2) standard.
+
+You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying IKEv2 as the key module in an IPsec rule. This can only be done using computer certificate authentication and cannot be used with phase 2 authentication.
+
+Windows PowerShell
+
+``` syntax
+New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway
+```
+
+For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md).
+
+### Copy an IPsec rule from one policy to another
+
+Firewall and IPsec rules with the same rule properties can be duplicated to simplify the task of re-creating them within different policy stores.
+
+To copy the previously created rule from one policy store to another, the associated objects must be also be copied separately. Note that there is no need to copy associated firewall filters. You can query rules to be copied in the same way as other cmdlets.
+
+Copying individual rules is a task that is not possible through the Netsh interface. Here is how you can accomplish it with Windows PowerShell.
+
+Windows PowerShell
+
+``` syntax
+$Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication”
+$Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name
+$Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name
+```
+
+### Handling Windows PowerShell errors
+
+To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAction* parameter. This is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you will notice that it fails if the rule is not found. When removing rules, if the rule isn’t already there, it is generally acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation.
+
+Windows PowerShell
+
+``` syntax
+Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue
+```
+
+Note that the use of wildcards can also suppress errors, but they could potentially match rules that you did not intend to remove. This can be a useful shortcut, but should only be used if you know there aren’t any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any “not found” errors.
+
+Windows PowerShell
+
+``` syntax
+Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*”
+```
+
+When using wildcards, if you want to double-check the set of rules that is matched, you can use the *–WhatIf* parameter.
+
+Windows PowerShell
+
+``` syntax
+Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf
+```
+
+If you only want to delete some of the matched rules, you can use the *–Confirm* parameter to get a rule-by-rule confirmation prompt.
+
+Windows PowerShell
+
+``` syntax
+Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm
+```
+
+You can also just perform the whole operation, displaying the name of each rule as the operation is performed.
+
+Windows PowerShell
+
+``` syntax
+Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose
+```
+
+### Monitor
+
+The following Windows PowerShell commands are useful in the update cycle of a deployment phase.
+
+To allow you to view all the IPsec rules in a particular store, you can use the following commands. In Netsh, this command does not show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain that is included in the rule. The following command examples will show the IPsec rules in all profiles.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall consec show rule name=all
+```
+
+Windows PowerShell
+
+``` syntax
+Show-NetIPsecRule –PolicyStore ActiveStore
+```
+
+You can monitor main mode security associations for information such as which peers are currently connected to the device and which protection suite is used to form the security associations.
+
+Use the following cmdlet to view existing main mode rules and their security associations:
+
+**Netsh**
+
+``` syntax
+netsh advfirewall monitor show mmsa all
+```
+
+Windows PowerShell
+
+``` syntax
+Get-NetIPsecMainModeSA
+```
+
+### Find the source GPO of a rule
+
+To view the properties of a particular rule or group of rules, you query for the rule. When a query returns fields that are specified as **NotConfigured**, you can to determine which policy store a rule originates from.
+
+For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *–TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field.
+
+Windows PowerShell
+
+``` syntax
+Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore
+```
+
+It is important to note that the revealed sources do not contain a domain name.
+
+### Deploy a basic domain isolation policy
+
+IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain-joined devices positively establish the identities of the communicating devices to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object.
+
+To implement domain isolation on your network, the devices in the domain receive IPsec rules that block unsolicited inbound network traffic that is not protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this, you can isolate domain-joined devices from devices that are not joined to a domain. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
+netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profile=domain endpoint1=”any” endpoint2=”any” action=requireinrequestout auth1=”computerkerb”
+```
+
+Windows PowerShell
+
+``` syntax
+$kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos
+$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation
+New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation
+```
+
+### Configure IPsec tunnel mode
+
+The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local device (1.1.1.1) attached to a public network to a second device through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it is encrypted by using ESP/DES3.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des
+```
+
+Windows PowerShell
+
+``` syntax
+$QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3
+$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal
+New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
+```
+
+## Deploy secure firewall rules with IPsec
+
+In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
+
+### Create a secure firewall rule (allow if secure)
+
+Configuring firewalls rule to allow connections if they are secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec.
+
+The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote device is authenticated by using a separate IPsec rule.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in program=%SystemRoot%\System32\tlntsvr.exe security=authenticate action=allow
+```
+
+Windows PowerShell
+
+``` syntax
+New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
+```
+
+The following command creates an IPsec rule that requires a first (computer) authentication and then attempts an optional second (user) authentication. Creating this rule secures and allows the traffic through the firewall rule requirements for the messenger program.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall consec add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous
+```
+
+Windows PowerShell
+
+``` syntax
+$mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos
+$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
+$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop
+$ukerbauthprop = New-NetIPsecAuthProposal -User -Kerberos
+$unentlmauthprop = New-NetIPsecAuthProposal -User -NTLM
+$anonyauthprop = New-NetIPsecAuthProposal -Anonymous
+$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName “User Auth” -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
+New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name –Phase2AuthSet $P2Auth.Name
+```
+
+### Isolate a server by requiring encryption and group membership
+
+To improve the security of the devices in an organization, you can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of devices within the enterprise domain.
+
+IPsec can provide this additional layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and devices with legitimate business need, and the data is additionally encrypted to prevent eavesdropping.
+
+### Create a firewall rule that requires group membership and encryption
+
+To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or devices on the IPsec rule that enforces authentication.
+
+The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called “Authorized to Access Server.” This access can additionally be restricted based on the device, user, or both by specifying the restriction parameters.
+
+A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](http://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID).
+
+Restricting access to a group allows administrations to extend strong authentication support through Windows Firewall/and or IPsec policies.
+
+The following example shows you how to create an SDDL string that represents security groups.
+
+Windows PowerShell
+
+``` syntax
+$user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”)
+$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
+$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"
+```
+
+By using the previous scriptlet, you can also get the SDDL string for a secure computer group as shown here:
+
+Windows PowerShell
+
+``` syntax
+$secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"
+```
+
+For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](http://technet.microsoft.com/library/ff730940.aspx).
+
+Telnet is an application that does not provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application.
+
+In this example, we allow only authenticated and encrypted inbound Telnet traffic from a specified secure user group through the creation of the following firewall rule.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall set store gpo=domain.contoso.com\Server_Isolation
+netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Group Members Only” program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport=23 security=authenc rmtusrgrp ="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
+```
+
+Windows PowerShell
+
+``` syntax
+New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation
+```
+
+### Endpoint security enforcement
+
+The previous example showed end to end security for a particular application. In situations where endpoint security is required for many applications, having a firewall rule per application can be cumbersome and difficult to manage. Authorization can override the per-rule basis and be done at the IPsec layer.
+
+In this example, we set the global IPsec setting to only allow transport mode traffic to come from an authorized user group with the following cmdlet. Consult the previous examples for working with security groups.
+
+Windows PowerShell
+
+``` syntax
+Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup
+```
+
+### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass)
+
+Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](http://technet.microsoft.com/library/cc753463(WS.10).aspx).
+
+In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a device or user account that is a member of the specified device or user security group.
+
+**Netsh**
+
+``` syntax
+netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
+netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in security=authenticate action="bypass" rmtcomputergrp="D:(A;;CC;;;S-1-5-21-2329867823-2610410949-1491576313-1114)" rmtusrgrp="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
+```
+
+Windows PowerShell
+
+``` syntax
+New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation
+```
+
+## Additional resources
+
+
+For more information about Windows PowerShell concepts, see the following topics.
+
+- [Windows PowerShell Getting Started Guide](http://go.microsoft.com/fwlink/p/?linkid=113440)
+
+- [Windows PowerShell User Guide](http://go.microsoft.com/fwlink/p/?linkid=113441)
+
+- [Windows PowerShell About Help Topics](http://go.microsoft.com/fwlink/p/?linkid=113206)
+
+- [about\_Functions](http://go.microsoft.com/fwlink/p/?linkid=113231)
+
+- [about\_Functions\_Advanced](http://go.microsoft.com/fwlink/p/?linkid=144511)
+
+- [about\_Execution\_Policies](http://go.microsoft.com/fwlink/p/?linkid=135170)
+
+- [about\_Foreach](http://go.microsoft.com/fwlink/p/?linkid=113229)
+
+- [about\_Objects](http://go.microsoft.com/fwlink/p/?linkid=113241)
+
+- [about\_Properties](http://go.microsoft.com/fwlink/p/?linkid=113249)
+
+- [about\_While](http://go.microsoft.com/fwlink/p/?linkid=113275)
+
+- [about\_Scripts](http://go.microsoft.com/fwlink/p/?linkid=144310)
+
+- [about\_Signing](http://go.microsoft.com/fwlink/p/?linkid=113268)
+
+- [about\_Throw](http://go.microsoft.com/fwlink/p/?linkid=145153)
+
+- [about\_PSSessions](http://go.microsoft.com/fwlink/p/?linkid=135181)
+
+- [about\_Modules](http://go.microsoft.com/fwlink/p/?linkid=144311)
+
+- [about\_Command\_Precedence](http://go.microsoft.com/fwlink/p/?linkid=113214)
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
new file mode 100644
index 0000000000..5dabaedf02
--- /dev/null
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
@@ -0,0 +1,62 @@
+---
+title: Windows Firewall with Advanced Security Deployment Guide (Windows 10)
+description: Windows Firewall with Advanced Security Deployment Guide
+ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows Firewall with Advanced Security Deployment Guide
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
+
+You can use Windows Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
+
+## About this guide
+
+This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
+
+Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
+
+If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
+
+After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
+
+- [Basic Firewall Policy Design](basic-firewall-policy-design.md)
+
+- [Domain Isolation Policy Design](domain-isolation-policy-design.md)
+
+- [Server Isolation Policy Design](server-isolation-policy-design.md)
+
+- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
+
+Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
+
+>**Caution:** We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
+
+In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded.
+
+## What this guide does not provide
+
+This guide does not provide:
+
+- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide.
+
+- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy.
+
+- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
+
+## Overview of Windows Firewall with Advanced Security
+
+Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+
+The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+
+For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
new file mode 100644
index 0000000000..acc229bd6a
--- /dev/null
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
@@ -0,0 +1,99 @@
+---
+title: Windows Firewall with Advanced Security Design Guide (Windows 10)
+description: Windows Firewall with Advanced Security Design Guide
+ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows Firewall with Advanced Security Design Guide
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
+
+The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+
+For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md).
+
+## About this guide
+
+This guide provides recommendations to help you to choose or create a design for deploying Windows Firewall with Advanced Security in your enterprise environment. The guide describes some of the common goals for using Windows Firewall with Advanced Security, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
+
+This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals.
+
+Windows Firewall with Advanced Security should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
+
+To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Firewall with Advanced Security, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
+
+You can use the deployment goals to form one of these Windows Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
+
+- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized.
+
+- **Domain isolation policy design**. Prevents devices that are domain members from receiving unsolicited network traffic from devices that are not domain members. Additional "zones" can be established to support the special requirements of some devices, such as:
+
+ - A "boundary zone" for devices that must be able to receive requests from non-isolated devices.
+
+ - An "encryption zone" for devices that store sensitive data that must be protected during network transmission.
+
+- **Server isolation policy design**. Restricts access to a server to only a limited group of authorized users and devices. Commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of devices.
+
+- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables devices that are not part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution.
+
+In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Firewall with Advanced Security using the guidance in the Windows Firewall with Advanced Security Deployment Guide.
+
+You can find the Windows Firewall with Advanced Security Deployment Guide at these locations:
+
+- (Web page)
+
+- (Downloadable Word document)
+
+## In this section
+
+| Topic | Description
+| - | - |
+| [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Firewall with Advanced Security design process. |
+| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Firewall with Advanced Security deployment goals. |
+| [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. |
+| [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. |
+| [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
+| [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
+| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
+
+## Terminology used in this guide
+
+The following table identifies and defines terms used throughout this guide.
+
+| Term | Definition |
+| - | - |
+| Active Directory domain | A group of devices and users managed by an administrator by using Active Directory Domain Services (AD DS). Devices in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary. |
+| Authentication | A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.|
+| Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that are not members of the isolated domain. Devices in the boundary zone request but do not require authentication. They use IPsec to communicate with other devices in the isolated domain.|
+| Connection security rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.|
+| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
+| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.|
+| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
+| Firewall rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall. By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
+| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
+| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones). In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
+| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
+| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.|
+| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic. |
+| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted. This is not related to the term zone as used by Domain Name System (DNS). |
+
+**Next:** [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md
new file mode 100644
index 0000000000..51c6967315
--- /dev/null
+++ b/windows/keep-secure/windows-firewall-with-advanced-security.md
@@ -0,0 +1,42 @@
+---
+title: Windows Firewall with Advanced Security (Windows 10)
+description: Windows Firewall with Advanced Security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows Firewall with Advanced Security
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
+
+## Feature description
+
+Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy.
+
+## Practical applications
+
+
+To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits:
+
+- **Reduces the risk of network security threats.** Windows Firewall with Advanced Security reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
+
+- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
+
+- **Extends the value of existing investments.** Because Windows Firewall with Advanced Security is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
+
+## In this section
+
+| Topic | Description
+| - | - |
+| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
+| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
+| [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Firewall. |
+| [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Firewall with Advanced Security. |
+| [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Firewall with Advanced Security. |
diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index 7b9bed5681..40a4efa80a 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -2,10 +2,11 @@
title: Windows Hello biometrics in the enterprise (Windows 10)
description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
-keywords: ["Windows Hello", "enterprise biometrics"]
-ms.prod: W10
+keywords: Windows Hello, enterprise biometrics
+ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: security
author: eross-msft
---
diff --git a/windows/keep-secure/windows-installer-rules-in-applocker.md b/windows/keep-secure/windows-installer-rules-in-applocker.md
index 05f9214263..65a86eddfc 100644
--- a/windows/keep-secure/windows-installer-rules-in-applocker.md
+++ b/windows/keep-secure/windows-installer-rules-in-applocker.md
@@ -2,59 +2,36 @@
title: Windows Installer rules in AppLocker (Windows 10)
description: This topic describes the file formats and available default rules for the Windows Installer rule collection.
ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Windows Installer rules in AppLocker
+
**Applies to**
- Windows 10
+
This topic describes the file formats and available default rules for the Windows Installer rule collection.
+
AppLocker defines Windows Installer rules to include only the following file formats:
+
- .msi
- .msp
- .mst
+
The purpose of this collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection.
-
-
-
-
-
-
-
-
-
-
Purpose
-
Name
-
User
-
Rule condition type
-
-
-
-
-
Allow members of the local Administrators group to run all Windows Installer files
-
(Default Rule) All Windows Installer files
-
BUILTIN\Administrators
-
Path: *
-
-
-
Allow all users to run Windows Installer files that are digitally signed
-
(Default Rule) All digitally signed Windows Installer files
-
Everyone
-
Publisher: * (all signed files)
-
-
-
Allow all users to run Windows Installer files that are located in the Windows Installer folder
-
(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer
-
Everyone
-
Path: %windir%\Installer\*
-
-
-
+
+| Purpose | Name | User | Rule condition type |
+| - | - | - | - |
+| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *|
+| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)|
+| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*|
## Related topics
-[Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
diff --git a/windows/keep-secure/working-with-applocker-policies.md b/windows/keep-secure/working-with-applocker-policies.md
index af1edcf35e..219638880c 100644
--- a/windows/keep-secure/working-with-applocker-policies.md
+++ b/windows/keep-secure/working-with-applocker-policies.md
@@ -2,83 +2,35 @@
title: Working with AppLocker policies (Windows 10)
description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Working with AppLocker policies
+
**Applies to**
- Windows 10
+
This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+
## In this section
-
-
-
-
-
-
-
-
Topic
-
Description
-
-
-
-
-
[Configure the Application Identity service](configure-the-application-identity-service.md)
-
This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
-
-
-
[Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
-
This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
-
-
-
[Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
-
This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
-
-
-
[Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
-
This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
-
-
-
[Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)
-
This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
-
-
-
[Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
-
This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
-
-
-
[Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
-
This topic for IT professionals describes how to import an AppLocker policy.
-
-
-
[Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
-
This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
-
-
-
[Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
-
This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
-
-
-
[Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)
-
This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
-
-
-
[Refresh an AppLocker policy](refresh-an-applocker-policy.md)
-
This topic for IT professionals describes the steps to force an update for an AppLocker policy.
-
-
-
[Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
-
This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
-
-
-
-
-
-
+
+| Topic | Description |
+| - | - |
+| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.|
+| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.|
+| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.|
+| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.|
+| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.|
+| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.|
+| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This topic for IT professionals describes how to import an AppLocker policy.|
+| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).|
+| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).|
+| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.|
+| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).|
+| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This topic for IT professionals describes the steps to force an update for an AppLocker policy.|
+| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.|
+
diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md
index 9ee115544d..9c528133ef 100644
--- a/windows/keep-secure/working-with-applocker-rules.md
+++ b/windows/keep-secure/working-with-applocker-rules.md
@@ -2,338 +2,207 @@
title: Working with AppLocker rules (Windows 10)
description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9
-ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Working with AppLocker rules
+
**Applies to**
- Windows 10
+
This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
+
## In this section
-
-
-
-
-
-
-
-
Topic
-
Description
-
-
-
-
-
[Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
-
This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
-
-
-
[Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
-
This topic for IT professionals shows how to create an AppLocker rule with a path condition.
-
-
-
[Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
-
This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
This topic for IT professionals describes how to enforce application control rules by using AppLocker.
-
-
-
[Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
-
This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
-
-
-
+
+| Topic | Description |
+| - | - |
+| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.|
+| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.|
+| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.|
+| [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.|
+| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.|
+| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.|
+| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.|
+| [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.|
+| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.|
+| [Enforce AppLocker rules](enforce-applocker-rules.md) | This topic for IT professionals describes how to enforce application control rules by using AppLocker.|
+| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.|
The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence.
-
-
-
-
-
-
-
-
Enforcement mode
-
Description
-
-
-
-
-
Not configured
-
This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.
-
-
-
Enforce rules
-
Rules are enforced.
-
-
-
Audit only
-
Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to Audit only, rules for that rule collection are not enforced
-
-
-
-
+
+| Enforcement mode | Description |
+| - | - |
+| **Not configured** | This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.|
+| **Enforce rules** | Rules are enforced.|
+| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection are not enforced|
+
When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied.
## Rule collections
+
The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
-
-
-
-
-
-
-
-
Rule collection
-
Associated file formats
-
-
-
-
-
Executable files
-
.exe
-
.com
-
-
-
Scripts
-
.ps1
-
.bat
-
.cmd
-
.vbs
-
.js
-
-
-
Windows Installer files
-
.msi
-
.msp
-
.mst
-
-
-
Packaged apps and packaged app installers
-
.appx
-
-
-
DLL files
-
.dll
-
.ocx
-
-
-
+
+| Rule collection | Associated file formats |
+| - | - |
+| Executable files | .exe .com|
+| Scripts| .ps1 .bat .cmd .vbs .js|
+| Windows Installer files | .msi .msp .mst|
+| Packaged apps and packaged app installers | .appx|
+| DLL files | .dll .ocx|
-**Important**
-If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
+>**Important:** If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
+
When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.
+
The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).
## Rule conditions
+
Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash.
+
- [Publisher](#bkmk-publisher): Identifies an app based on its digital signature
- [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network
- [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file
+
### Publisher
+
This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
-**Note**
-Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
+
+>**Note:** Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
-**Note**
-Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.
+>**Note:** Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.
When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (\*) in the product, file name, or version number fields.
-**Note**
-To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
+
+>**Note:** To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options:
+
- **Exactly.** The rule applies only to this version of the app
- **And above.** The rule applies to this version and all later versions.
- **And below.** The rule applies to this version and all earlier versions.
+
The following table describes how a publisher condition is applied.
-
-
-
-
-
-
-
-
Option
-
The publisher condition allows or denies…
-
-
-
-
-
All signed files
-
All files that are signed by any publisher.
-
-
-
Publisher only
-
All files that are signed by the named publisher.
-
-
-
Publisher and product name
-
All files for the specified product that are signed by the named publisher.
-
-
-
Publisher and product name, and file name
-
Any version of the named file or package for the named product that are signed by the publisher.
-
-
-
Publisher, product name, file name, and file version
-
Exactly
-
The specified version of the named file or package for the named product that are signed by the publisher.
-
-
-
Publisher, product name, file name, and file version
-
And above
-
The specified version of the named file or package and any new releases for the product that are signed by the publisher.
-
-
-
Publisher, product name, file name, and file version
-
And below
-
The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.
-
-
-
Custom
-
You can edit the Publisher, Product name, File name, VersionPackage name, and Package version fields to create a custom rule.
-
-
-
-
+
+
+| Option | The publisher condition allows or denies… |
+| **All signed files** | All files that are signed by any publisher.|
+| **Publisher only**| All files that are signed by the named publisher.|
+| **Publisher and product name**| All files for the specified product that are signed by the named publisher.|
+| **Publisher and product name, and file name**| Any version of the named file or package for the named product that are signed by the publisher.|
+| **Publisher, product name, file name, and file version**| **Exactly** The specified version of the named file or package for the named product that are signed by the publisher.|
+| **Publisher, product name, file name, and file version**| **And above** The specified version of the named file or package and any new releases for the product that are signed by the publisher.|
+| **Publisher, product name, file name, and file version**| **And below** The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.|
+| **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.|
+
### Path
+
This rule condition identifies an application by its location in the file system of the computer or on the network.
+
AppLocker uses custom path variables for well-known paths, such as Program Files and Windows.
+
The following table details these path variables.
-
-
-
-
-
-
-
-
-
Windows directory or disk
-
AppLocker path variable
-
Windows environment variable
-
-
-
-
-
Windows
-
%WINDIR%
-
%SystemRoot%
-
-
-
System32
-
%SYSTEM32%
-
%SystemDirectory%
-
-
-
Windows installation directory
-
%OSDRIVE%
-
%SystemDrive%
-
-
-
Program Files
-
%PROGRAMFILES%
-
%ProgramFiles% and
-
%ProgramFiles(x86)%
-
-
-
Removable media (for example, a CD or DVD)
-
%REMOVABLE%
-
-
-
-
Removable storage device (for example, a USB flash drive)
-
%HOT%
-
-
-
-
+
+| Windows directory or disk | AppLocker path variable | Windows environment variable |
+| - | - | - |
+| Windows| %WINDIR%| %SystemRoot%|
+| System32| %SYSTEM32%| %SystemDirectory%|
+| Windows installation directory| %OSDRIVE%| %SystemDrive%|
+| Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% |
+| Removable media (for example, a CD or DVD)| %REMOVABLE%| |
+| Removable storage device (for example, a USB flash drive)| %HOT% | |
-**Important**
-Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
+>**Important:** Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
### File hash
+
When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules.
+
## AppLocker default rules
+
AppLocker allows you to generate default rules for each rule collection.
+
Executable default rule types include:
+
- Allow members of the local **Administrators** group to run all apps.
- Allow members of the **Everyone** group to run apps that are located in the Windows folder.
- Allow members of the **Everyone** group to run apps that are located in the Program Files folder.
+
Script default rule types include:
+
- Allow members of the local **Administrators** group to run all scripts.
- Allow members of the **Everyone** group to run scripts that are located in the Program Files folder.
- Allow members of the **Everyone** group to run scripts that are located in the Windows folder.
+
Windows Installer default rule types include:
+
- Allow members of the local **Administrators** group to run all Windows Installer files.
- Allow members of the **Everyone** group to run all digitally signed Windows Installer files.
- Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder.
+
DLL default rule types:
+
- Allow members of the local **Administrators** group to run all DLLs.
- Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder.
- Allow members of the **Everyone** group to run DLLs that are located in the Windows folder.
+
Packaged apps default rule types:
+
- Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers.
+
## AppLocker rule behavior
+
If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+
A rule can be configured to use allow or deny actions:
+
- **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
- **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
-**Important**
-For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.
+
+>**Important:** For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.
-**Important**
-If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
+>**Important:** If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
## Rule exceptions
+
You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor.
+
The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor.
+
## DLL rule collection
+
Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules.
+
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
**To enable the DLL rule collection**
+
1. Click **Start**, type **secpol.msc**, and then press ENTER.
2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**.
4. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
- **Important**
- Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
+
+ >**Important:** Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
## AppLocker wizards
+
You can create rules by using two AppLocker wizards:
+
1. The Create Rules Wizard enables you to create one rule at a time.
2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
+
## Additional considerations
+
- By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.
- There are two types of AppLocker conditions that do not persist following an update of an app:
+
- **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released.
+
- **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule cannot persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
+
- If an app is not digitally signed, you cannot use a publisher rule condition for that app.
- AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
- The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.
@@ -341,5 +210,3 @@ You can create rules by using two AppLocker wizards:
- When an AppLocker rule collection is set to **Audit only**, the rules are not enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.
- A custom configured URL can be included in the message that is displayed when an app is blocked.
- Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed.
-
-
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 621ce3f5ca..9a7fe85b18 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -18,7 +18,7 @@
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
-### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)
+### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md
index 8e22322f1c..5f68e8e296 100644
--- a/windows/manage/acquire-apps-windows-store-for-business.md
+++ b/windows/manage/acquire-apps-windows-store-for-business.md
@@ -1,9 +1,11 @@
---
title: Acquire apps in Windows Store for Business (Windows 10)
description: As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see Apps in the Windows Store for Business.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
---
# Acquire apps in Windows Store for Business
diff --git a/windows/manage/add-unsigned-app-to-code-integrity-policy.md b/windows/manage/add-unsigned-app-to-code-integrity-policy.md
index 538034d0f2..d453da171a 100644
--- a/windows/manage/add-unsigned-app-to-code-integrity-policy.md
+++ b/windows/manage/add-unsigned-app-to-code-integrity-policy.md
@@ -2,9 +2,10 @@
title: Add unsigned app to code integrity policy (Windows 10)
description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device.
ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store, security
author: TrudyHa
---
diff --git a/windows/manage/administrative-tools-in-windows-10.md b/windows/manage/administrative-tools-in-windows-10.md
index 5019f298d8..cc42197767 100644
--- a/windows/manage/administrative-tools-in-windows-10.md
+++ b/windows/manage/administrative-tools-in-windows-10.md
@@ -2,7 +2,7 @@
title: Administrative Tools in Windows 10 (Windows 10)
description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md
index 245d15cac1..d58572c900 100644
--- a/windows/manage/app-inventory-managemement-windows-store-for-business.md
+++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: App inventory management for Windows Store for Business (Windows 10)
description: You can manage all apps that you've acquired on your Inventory page.
ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md
index cffbdd7092..dedc91d3cd 100644
--- a/windows/manage/application-development-for-windows-as-a-service.md
+++ b/windows/manage/application-development-for-windows-as-a-service.md
@@ -2,10 +2,10 @@
title: Application development for Windows as a service (Windows 10)
description: In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years.
ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: security, servicing
author: greg-lindsay
---
diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md
index 30d0677d94..dec7d4ca5f 100644
--- a/windows/manage/apps-in-windows-store-for-business.md
+++ b/windows/manage/apps-in-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Apps in Windows Store for Business (Windows 10)
description: Windows Store for Business has thousands of apps from many different categories.
ms.assetid: CC5641DA-3CEA-4950-AD81-1AF1AE876926
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md
index c6e8393f30..adf354a31f 100644
--- a/windows/manage/assign-apps-to-employees.md
+++ b/windows/manage/assign-apps-to-employees.md
@@ -2,9 +2,10 @@
title: Assign apps to employees (Windows 10)
description: Administrators can assign online-licensed apps to employees in their organization.
ms.assetid: A0DF4EC2-BE33-41E1-8832-DBB0EBECA31A
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index df398cfd27..603af6fbde 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -2,7 +2,7 @@
title: Change history for Manage and update Windows 10 (Windows 10)
description: This topic lists new and updated topics in the Manage and update Windows 10 documentation for Windows 10 and Windows 10 Mobile.
ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
@@ -12,12 +12,18 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## June 2016
+
+| New or changed topic | Description |
+| ---|---|
+| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the sample script for Shell Launcher. |
+
## May 2016
| New or changed topic | Description |
| ---|---|
| [Group Policies that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | New |
-| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles |
+| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added section on how to turn off Live Tiles |
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
index 30a8c0a870..8697ff8945 100644
--- a/windows/manage/changes-to-start-policies-in-windows-10.md
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -3,7 +3,7 @@ title: Changes to Group Policy settings for Windows 10 Start (Windows 10)
description: Windows 10 has a brand new Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
keywords: ["group policy", "start menu", "start screen"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md
index 82e3420ae6..0539884199 100644
--- a/windows/manage/configure-devices-without-mdm.md
+++ b/windows/manage/configure-devices-without-mdm.md
@@ -2,10 +2,11 @@
title: Configure devices without MDM (Windows 10)
description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
-keywords: ["runtime provisioning", "provisioning package"]
-ms.prod: W10
+keywords: runtime provisioning, provisioning package
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: mobile, devices
author: jdeckerMS
---
diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/windows/manage/configure-mdm-provider-windows-store-for-business.md
index 2b94aba619..e621a59e02 100644
--- a/windows/manage/configure-mdm-provider-windows-store-for-business.md
+++ b/windows/manage/configure-mdm-provider-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Configure an MDM provider (Windows 10)
description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses.
ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
index 6383bcab54..66f10dbf1e 100644
--- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
+++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
@@ -1,11 +1,6 @@
---
title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
-description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
-ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
-keywords: privacy, stop data flow to Microsoft
-ms.prod: W10
-ms.mktglfcycl: manage
-ms.sitesec: library
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
---
# Configure Windows 10 devices to stop data flow to Microsoft
@@ -285,7 +280,7 @@ When you enable the **Don't search the web or display web results in Search** Gr
- For **Remote port**, choose **All ports**.
-> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
+> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
### 1.2 Cortana MDM policies
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
index 58de9307b7..1d4f6b116f 100644
--- a/windows/manage/configure-windows-telemetry-in-your-organization.md
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -2,6 +2,11 @@
description: Use this article to make informed decisions about how you can configure telemetry in your organization.
title: Configure Windows telemetry in your organization (Windows 10)
keywords: privacy
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
---
# Configure Windows telemetry in your organization
@@ -14,8 +19,7 @@ keywords: privacy
Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
-**Note**
-This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
+>**Note:** This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
@@ -29,7 +33,7 @@ Microsoft is committed to improving customer experiences in a mobile-first and c
Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
-For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for youcr organization.
+For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
## How is telemetry data handled by Microsoft?
@@ -91,8 +95,7 @@ The levels are cumulative and are illustrated in the following diagram. These le
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
-**Note**
-If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+> **Note:** If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
@@ -104,8 +107,7 @@ The data gathered at this level includes:
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
- **Note**
- You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+ >**Note:** You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
@@ -128,7 +130,7 @@ The Basic level gathers a limited set of data that’s critical for understandin
The data gathered at this level includes:
-- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including:
+- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview instances in the ecosystem, including:
- Device attributes, such as camera resolution and display type
@@ -152,7 +154,7 @@ The data gathered at this level includes:
- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
- - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
+ - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
@@ -168,7 +170,7 @@ The data gathered at this level includes:
### Enhanced level
-The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
+The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
@@ -204,8 +206,7 @@ However, before more data is gathered, Microsoft’s privacy governance team, in
We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
-**Important**
-These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+>**Important:** These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
@@ -213,7 +214,7 @@ The lowest telemetry setting level supported through management policies is **Se
### Configure the operating system telemetry level
-You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings.
+You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device level settings.
Use the appropriate value in the table below when you configure the management policy.
@@ -274,8 +275,7 @@ There are a few more settings that you can turn off that may send telemetry info
- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
- **Note**
- Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+ >**Note:** Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
@@ -284,7 +284,7 @@ There are a few more settings that you can turn off that may send telemetry info
### Drive higher application and driver quality in the ecosystem
-Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications
+Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications.
### Reduce your total cost of ownership and downtime
diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md
index 4d1f382a15..bd7b75c0fd 100644
--- a/windows/manage/customize-and-export-start-layout.md
+++ b/windows/manage/customize-and-export-start-layout.md
@@ -3,7 +3,7 @@ title: Customize and export Start layout (Windows 10)
description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout.
ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236
keywords: ["start screen"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index 614edb4d66..bf5aed9ec4 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -3,7 +3,7 @@ title: Customize Windows 10 Start with Group Policy (Windows 10)
description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
keywords: ["Start layout", "start menu", "layout", "group policy"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
index d3c9160101..a0ad00415a 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -3,7 +3,7 @@ title: Customize Windows 10 Start with mobile device management (MDM) (Windows 1
description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users.
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
keywords: ["start screen", "start menu"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 3af066fdac..cc0c54d783 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -3,7 +3,7 @@ title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10
description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
keywords: ["Start layout", "start menu"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/device-guard-signing-portal.md b/windows/manage/device-guard-signing-portal.md
index 4604411897..09c4d67158 100644
--- a/windows/manage/device-guard-signing-portal.md
+++ b/windows/manage/device-guard-signing-portal.md
@@ -2,9 +2,10 @@
title: Device Guard signing (Windows 10)
description: Device Guard signing is a Device Guard feature that is available in the Windows Store for Business.
ms.assetid: 8D9CD2B9-5FC6-4C3D-AA96-F135AFEEBB78
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store, security
author: TrudyHa
---
@@ -53,9 +54,8 @@ Device Guard is a feature set that consists of both hardware and software system
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
-| | |
-|-------------------------------------------------------|----------|
| Description | Limit |
+|-------------------------------------------------------|----------|
| Maximum size for a policy or catalog file | 3.5 MB |
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
@@ -67,9 +67,8 @@ When you're uploading files for Device Guard signing, there are a few limits for
Catalog and policy files have required files types.
-| | |
-|---------------|--------------------|
| File | Required file type |
+|---------------|--------------------|
| catalog files | .cat |
| policy files | .bin |
diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/windows/manage/distribute-apps-from-your-private-store.md
index d751c6d2f2..c81973c29f 100644
--- a/windows/manage/distribute-apps-from-your-private-store.md
+++ b/windows/manage/distribute-apps-from-your-private-store.md
@@ -2,9 +2,10 @@
title: Distribute apps using your private store (Windows 10)
description: The private store is a feature in Windows Store for Business that organizations receive during the sign up process.
ms.assetid: C4644035-845C-4C84-87F0-D87EA8F5BA19
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
index 28f762ec11..ffdae6061d 100644
--- a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
+++ b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Distribute apps to your employees from the Windows Store for Business (Windows 10)
description: Distribute apps to your employees from Windows Store for Business. You can assign apps to employees, or let employees install them from your private store.
ms.assetid: E591497C-6DFA-49C1-8329-4670F2164E9E
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/distribute-apps-with-management-tool.md b/windows/manage/distribute-apps-with-management-tool.md
index 37824f30c5..484fa6b93b 100644
--- a/windows/manage/distribute-apps-with-management-tool.md
+++ b/windows/manage/distribute-apps-with-management-tool.md
@@ -2,9 +2,10 @@
title: Distribute apps with a management tool (Windows 10)
description: You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.
ms.assetid: 006F5FB1-E688-4769-BD9A-CFA6F5829016
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
@@ -20,7 +21,7 @@ You can configure a mobile device management (MDM) tool to synchronize your Stor
Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Windows Store for Business.
-In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md).
+In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) and [Manage apps you purchased from the Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
Store for Business services provide:
@@ -61,7 +62,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
[Configure MDM Provider](../manage/configure-mdm-provider-windows-store-for-business.md)
-[Manage apps you purchased from the Windows Store for Business with Micosoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
+[Manage apps you purchased from the Windows Store for Business with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index 8cb184da6b..f6493b53b4 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -2,9 +2,10 @@
title: Distribute offline apps (Windows 10)
description: Offline licensing is a new licensing option for Windows 10.
ms.assetid: 6B9F6876-AA66-4EE4-A448-1371511AC95E
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/find-and-acquire-apps-overview.md b/windows/manage/find-and-acquire-apps-overview.md
index dbb7882835..4b4aab57ea 100644
--- a/windows/manage/find-and-acquire-apps-overview.md
+++ b/windows/manage/find-and-acquire-apps-overview.md
@@ -2,9 +2,10 @@
title: Find and acquire apps (Windows 10)
description: Use the Windows Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
ms.assetid: 274A5003-5F15-4635-BB8B-953953FD209A
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md
index 5d5f71e9f1..9904809076 100644
--- a/windows/manage/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md
@@ -1,9 +1,10 @@
---
title: Group Policies that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy objects that apply only to Windows 10 Enterprise and Windows 10 Education.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+author: brianlic-msft
---
# Group Policies that apply only to Windows 10 Enterprise and Education Editions
diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
index 463a578534..bab2563813 100644
--- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
@@ -2,7 +2,7 @@
title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10)
description: Configuration service providers (CSPs) expose device configuration settings in Windows 10.
ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png
index 527d92d9b2..6b77ce6002 100644
Binary files a/windows/manage/images/settings-table.png and b/windows/manage/images/settings-table.png differ
diff --git a/windows/manage/index.md b/windows/manage/index.md
index e6aff0c940..fa16723bc3 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -3,7 +3,7 @@ title: Manage and update Windows 10 (Windows 10)
description: Learn about managing and updating Windows 10.
ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0
keywords: Windows 10, MDM, WSUS, Windows update
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -74,4 +74,4 @@ Learn about managing and updating Windows 10.
## Related topics
[Windows 10 and Windows 10 Mobile](../index.md)
-
+ [Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md
index 0c6c2ab9a6..0325ebfeac 100644
--- a/windows/manage/introduction-to-windows-10-servicing.md
+++ b/windows/manage/introduction-to-windows-10-servicing.md
@@ -3,10 +3,10 @@ title: Windows 10 servicing options for updates and upgrades (Windows 10)
description: This article describes the new servicing options available in Windows 10.
ms.assetid: D1DEB7C0-283F-4D7F-9A11-EE16CB242B42
keywords: update, LTSB, lifecycle, Windows update, upgrade
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: security, servicing
author: greg-lindsay
---
@@ -18,6 +18,8 @@ author: greg-lindsay
This article describes the new servicing options available in Windows 10 and IoT Core and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.
+For Windows 10 current version numbers by servicing option see: [Windows 10 release information](https://technet.microsoft.com/en-us/windows/mt679505.aspx).
+
**Note**
Several of the figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes.
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
index cd798c3163..3a8047bf80 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -2,9 +2,10 @@
title: Join Windows 10 Mobile to Azure Active Directory (Windows 10)
description: Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).
ms.assetid: 955DD9EC-3519-4752-827E-79CEB1EC8D6B
-ms.prod: W10
-ms.mktglfcycl: deploy
+ms.prod: w10
+ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: mobile
author: jdeckerMS
---
diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md
index 095f7b1bbf..232ab26d13 100644
--- a/windows/manage/lock-down-windows-10-to-specific-apps.md
+++ b/windows/manage/lock-down-windows-10-to-specific-apps.md
@@ -3,9 +3,10 @@ title: Lock down Windows 10 to specific apps (Windows 10)
description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: edu, security
author: jdeckerMS
---
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index 142d9f3824..320d69d80d 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -3,9 +3,10 @@ title: Lock down Windows 10 (Windows 10)
description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
keywords: lockdown
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: security, mobile
author: jdeckerMS
---
@@ -47,7 +48,7 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
Use this article to make informed decisions about how you can configure Windows telemetry in your organization.
-
[Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)
+
[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 616e800b95..7655d1f5e4 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -2,9 +2,10 @@
title: Configure Windows 10 Mobile using Lockdown XML (Windows 10)
description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: security, mobile
author: jdeckerMS
---
diff --git a/windows/manage/manage-access-to-private-store.md b/windows/manage/manage-access-to-private-store.md
index c6bca23dc2..47ddaea3ef 100644
--- a/windows/manage/manage-access-to-private-store.md
+++ b/windows/manage/manage-access-to-private-store.md
@@ -2,6 +2,10 @@
title: Manage access to private store (Windows 10)
description: You can manage access to your private store in Windows Store for Business.
ms.assetid: 4E00109C-2782-474D-98C0-02A05BE613A5
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/manage-apps-windows-store-for-business-overview.md b/windows/manage/manage-apps-windows-store-for-business-overview.md
index f763f788bf..6856a7683d 100644
--- a/windows/manage/manage-apps-windows-store-for-business-overview.md
+++ b/windows/manage/manage-apps-windows-store-for-business-overview.md
@@ -2,9 +2,10 @@
title: Manage apps in Windows Store for Business (Windows 10)
description: Manage settings and access to apps in Windows Store for Business.
ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
new file mode 100644
index 0000000000..f3194a4699
--- /dev/null
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -0,0 +1,1265 @@
+---
+title: Manage connections from Windows operating system components to Microsoft services (Windows 10)
+description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
+ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
+keywords: privacy, manage connections to Microsoft
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Manage connections from Windows operating system components to Microsoft services
+
+**Applies to**
+
+- Windows 10
+
+If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+
+Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+
+If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+
+Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
+
+In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
+
+Here's what's covered in this article:
+
+- [Info management settings](#bkmk-othersettings)
+
+ - [1. Cortana](#bkmk-cortana)
+
+ - [1.1 Cortana Group Policies](#bkmk-cortana-gp)
+
+ - [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
+
+ - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
+
+ - [2. Date & Time](#bkmk-datetime)
+
+ - [3. Device metadata retrieval](#bkmk-devinst)
+
+ - [4. Font streaming](#font-streaming)
+
+ - [5. Insider Preview builds](#bkmk-previewbuilds)
+
+ - [6. Internet Explorer](#bkmk-ie)
+
+ - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
+
+ - [6.2 ActiveX control blocking](#bkmk-ie-activex)
+
+ - [7. Live Tiles](#live-tiles)
+
+ - [8. Mail synchronization](#bkmk-mailsync)
+
+ - [9. Microsoft Edge](#bkmk-edge)
+
+ - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp)
+
+ - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
+
+ - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
+
+ - [10. Network Connection Status Indicator](#bkmk-ncsi)
+
+ - [11. Offline maps](#bkmk-offlinemaps)
+
+ - [12. OneDrive](#bkmk-onedrive)
+
+ - [13. Preinstalled apps](#bkmk-preinstalledapps)
+
+ - [14. Settings > Privacy](#bkmk-settingssection)
+
+ - [14.1 General](#bkmk-priv-general)
+
+ - [14.2 Location](#bkmk-priv-location)
+
+ - [14.3 Camera](#bkmk-priv-camera)
+
+ - [14.4 Microphone](#bkmk-priv-microphone)
+
+ - [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+ - [14.6 Account info](#bkmk-priv-accounts)
+
+ - [14.7 Contacts](#bkmk-priv-contacts)
+
+ - [14.8 Calendar](#bkmk-priv-calendar)
+
+ - [14.9 Call history](#bkmk-priv-callhistory)
+
+ - [14.10 Email](#bkmk-priv-email)
+
+ - [14.11 Messaging](#bkmk-priv-messaging)
+
+ - [14.12 Radios](#bkmk-priv-radios)
+
+ - [14.13 Other devices](#bkmk-priv-other-devices)
+
+ - [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+ - [14.15 Background apps](#bkmk-priv-background)
+
+ - [15. Software Protection Platform](#bkmk-spp)
+
+ - [16. Sync your settings](#bkmk-syncsettings)
+
+ - [17. Teredo](#bkmk-teredo)
+
+ - [18. Wi-Fi Sense](#bkmk-wifisense)
+
+ - [19. Windows Defender](#bkmk-defender)
+
+ - [20. Windows Media Player](#bkmk-wmp)
+
+ - [21. Windows spotlight](#bkmk-spotlight)
+
+ - [22. Windows Store](#bkmk-windowsstore)
+
+ - [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+ - [23.1 Settings > Update & security](#bkmk-wudo-ui)
+
+ - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
+
+ - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
+
+ - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+
+ - [24. Windows Update](#bkmk-wu)
+
+## What's new in Windows 10, version 1511
+
+
+Here's a list of changes that were made to this article for Windows 10, version 1511:
+
+- Added the following new sections:
+
+ - [Mail synchronization](#bkmk-mailsync)
+
+ - [Offline maps](#bkmk-offlinemaps)
+
+ - [Windows spotlight](#bkmk-spotlight)
+
+ - [Windows Store](#bkmk-windowsstore)
+
+- Added the following Group Policies:
+
+ - Open a new tab with an empty tab
+
+ - Configure corporate Home pages
+
+ - Let Windows apps access location
+
+ - Let Windows apps access the camera
+
+ - Let Windows apps access the microphone
+
+ - Let Windows apps access account information
+
+ - Let Windows apps access contacts
+
+ - Let Windows apps access the calendar
+
+ - Let Windows apps access messaging
+
+ - Let Windows apps control radios
+
+ - Let Windows apps access trusted devices
+
+ - Do not show feedback notifications
+
+ - Turn off Automatic Download and Update of Map Data
+
+ - Force a specific default lock screen image
+
+- Added the AllowLinguisticDataCollection MDM policy.
+
+- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
+
+- Changed the Windows Update section to apply system-wide settings, and not just per user.
+
+## Info management settings
+
+
+This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
+
+- [1. Cortana](#bkmk-cortana)
+
+- [2. Date & Time](#bkmk-datetime)
+
+- [3. Device metadata retrieval](#bkmk-devinst)
+
+- [4. Font streaming](#font-streaming)
+
+- [5. Insider Preview builds](#bkmk-previewbuilds)
+
+- [6. Internet Explorer](#bkmk-ie)
+
+- [7. Live Tiles](#live-tiles)
+
+- [8. Mail synchronization](#bkmk-mailsync)
+
+- [9. Microsoft Edge](#bkmk-edge)
+
+- [10. Network Connection Status Indicator](#bkmk-ncsi)
+
+- [11. Offline maps](#bkmk-offlinemaps)
+
+- [12. OneDrive](#bkmk-onedrive)
+
+- [13. Preinstalled apps](#bkmk-preinstalledapps)
+
+- [14. Settings > Privacy](#bkmk-settingssection)
+
+- [15. Software Protection Platform](#bkmk-spp)
+
+- [16. Sync your settings](#bkmk-syncsettings)
+
+- [17. Teredo](#bkmk-teredo)
+
+- [18. Wi-Fi Sense](#bkmk-wifisense)
+
+- [19. Windows Defender](#bkmk-defender)
+
+- [20. Windows Media Player](#bkmk-wmp)
+
+- [21. Windows spotlight](#bkmk-spotlight)
+
+- [22. Windows Store](#bkmk-windowsstore)
+
+- [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+- [24. Windows Update](#bkmk-wu)
+
+
+See the following table for a summary of the management settings. For more info, see its corresponding section.
+
+
+
+### 1. Cortana
+
+Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
+
+### 1.1 Cortana Group Policies
+
+Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**.
+
+| Policy | Description |
+|------------------------------------------------------|---------------------------------------------------------------------------------------|
+| Allow Cortana | Choose whether to let Cortana install and run on the device. |
+| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. |
+| Do not allow web search | Choose whether to search the web from Windows Desktop Search. Default: Disabled|
+| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. |
+| Set what information is shared in Search | Control what information is shared with Bing in Search. |
+
+When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+
+1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
+
+2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
+
+3. On the **Rule Type** page, click **Program**, and then click **Next**.
+
+4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
+
+5. On the **Action** page, click **Block the connection**, and then click **Next**.
+
+6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
+
+7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
+
+8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
+
+9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
+
+ - For **Protocol type**, choose **TCP**.
+
+ - For **Local port**, choose **All Ports**.
+
+ - For **Remote port**, choose **All ports**.
+
+> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
+
+### 1.2 Cortana MDM policies
+
+The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. |
+| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results. Default: Allowed|
+
+### 1.3 Cortana Windows Provisioning
+
+To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**.
+
+### 2. Date & Time
+
+You can prevent Windows from setting the time automatically.
+
+- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
+
+ -or-
+
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**.
+
+### 3. Device metadata retrieval
+
+To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
+
+### 4. Font streaming
+
+Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
+
+To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
+
+> **Note:** This may change in future versions of Windows.
+
+### 5. Insider Preview builds
+
+To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
+
+- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+
+ -or-
+
+- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+ -or-
+
+- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+### 6. Internet Explorer
+
+Use Group Policy to manage settings for Internet Explorer.
+
+### 6.1 Internet Explorer Group Policies
+
+Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites. Default: Enabled You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar. Default: Enabled|
+| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar. Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
+| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. Default: Enabled |
+| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. Default: Disabled|
+
+### 6.2 ActiveX control blocking
+
+ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+
+For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
+
+### 7. Live Tiles
+
+To turn off Live Tiles:
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
+
+### 8. Mail synchronization
+
+To turn off mail synchronization for Microsoft Accounts that are configured on a device:
+
+- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
+
+ -or-
+
+- Remove any Microsoft Accounts from the Mail app.
+
+ -or-
+
+- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
+
+To turn off the Windows Mail app:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
+
+### 9. Microsoft Edge
+
+Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
+
+### 9.1 Microsoft Edge Group Policies
+
+Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
+
+> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn off autofill | Choose whether employees can use autofill on websites. Default: Enabled |
+| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers. Default: Disabled |
+| Turn off password manager | Choose whether employees can save passwords locally on their devices. Default: Enabled |
+| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions. Default: Enabled |
+| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off. Default: Enabled |
+| Open a new tab with an empty tab | Choose whether a new tab page appears. Default: Enabled |
+| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices. Set this to **about:blank** |
+
+### 9.2 Microsoft Edge MDM policies
+
+The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Browser/AllowAutoFill | Choose whether employees can use autofill on websites. Default: Allowed |
+| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers. Default: Not allowed |
+| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices. Default: Allowed |
+| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions.. Default: Allowed |
+| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off. Default: Allowed |
+
+### 9.3 Microsoft Edge Windows Provisioning
+
+Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
+
+For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
+
+### 10. Network Connection Status Indicator
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+You can turn off NCSI through Group Policy:
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
+
+> **Note** After you apply this policy, you must restart the device for the policy setting to take effect.
+
+### 11. Offline maps
+
+You can turn off the ability to download and update offline maps.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
+
+### 12. OneDrive
+
+To turn off OneDrive in your organization:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
+
+### 13. Preinstalled apps
+
+Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
+
+To remove the News app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
+
+To remove the Weather app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
+
+To remove the Money app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
+
+To remove the Sports app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
+
+To remove the Twitter app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
+
+To remove the XBOX app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
+
+To remove the Sway app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
+
+To remove the OneNote app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
+
+To remove the Get Office app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
+
+To remove the Get Skype app:
+
+- Right-click the Sports app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
+
+### 14. Settings > Privacy
+
+Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
+
+- [14.1 General](#bkmk-general)
+
+- [14.2 Location](#bkmk-priv-location)
+
+- [14.3 Camera](#bkmk-priv-camera)
+
+- [14.4 Microphone](#bkmk-priv-microphone)
+
+- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+- [14.6 Account info](#bkmk-priv-accounts)
+
+- [14.7 Contacts](#bkmk-priv-contacts)
+
+- [14.8 Calendar](#bkmk-priv-calendar)
+
+- [14.9 Call history](#bkmk-priv-callhistory)
+
+- [14.10 Email](#bkmk-priv-email)
+
+- [14.11 Messaging](#bkmk-priv-messaging)
+
+- [14.12 Radios](#bkmk-priv-radios)
+
+- [14.13 Other devices](#bkmk-priv-other-devices)
+
+- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+- [14.15 Background apps](#bkmk-priv-background)
+
+### 14.1 General
+
+**General** includes options that don't fall into other areas.
+
+To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
+
+> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+
+To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
+
+ Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+
+ -or-
+
+- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+
+ -or-
+
+- Create a provisioning package, using:
+
+ - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
+
+ - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
+
+To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
+
+> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+
+
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Not allowed
+
+ - **1**. Allowed (default)
+
+To turn off **Let websites provide locally relevant content by accessing my language list**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
+
+### 14.2 Location
+
+In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
+
+To turn off **Location for this device**:
+
+- Click the **Change** button in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
+
+ -or-
+
+- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Turned off and the employee can't turn it back on.
+
+ - **1**. Turned on, but lets the employee choose whether to use it. (default)
+
+ - **2**. Turned on and the employee can't turn it off.
+
+ **Note**
+ You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
+
+ - **No**. Turns off location service.
+
+ - **Yes**. Turns on location service. (default)
+
+To turn off **Location**:
+
+- Turn off the feature in the UI.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+To turn off **Location history**:
+
+- Erase the history using the **Clear** button in the UI.
+
+To turn off **Choose apps that can use your location**:
+
+- Turn off each app using the UI.
+
+### 14.3 Camera
+
+In the **Camera** area, you can choose which apps can access a device's camera.
+
+To turn off **Let apps use my camera**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+ **Note**
+ You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+To turn off **Choose apps that can use your camera**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.4 Microphone
+
+In the **Microphone** area, you can choose which apps can access a device's microphone.
+
+To turn off **Let apps use my microphone**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can use your microphone**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.5 Speech, inking, & typing
+
+In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
+
+> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
+
+
+
+To turn off the functionality:
+
+- Click the **Stop getting to know me** button, and then click **Turn off**.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
+
+ -and-
+
+ Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+
+### 14.6 Account info
+
+In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
+
+To turn off **Let apps access my name, picture, and other account info**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose the apps that can access your account info**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.7 Contacts
+
+In the **Contacts** area, you can choose which apps can access an employee's contacts list.
+
+To turn off **Choose apps that can access contacts**:
+
+- Turn off the feature in the UI for each app.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.8 Calendar
+
+In the **Calendar** area, you can choose which apps have access to an employee's calendar.
+
+To turn off **Let apps access my calendar**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can access calendar**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.9 Call history
+
+In the **Call history** area, you can choose which apps have access to an employee's call history.
+
+To turn off **Let apps access my call history**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.10 Email
+
+In the **Email** area, you can choose which apps have can access and send email.
+
+To turn off **Let apps access and send email**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.11 Messaging
+
+In the **Messaging** area, you can choose which apps can read or send messages.
+
+To turn off **Let apps read or send messages (text or MMS)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can read or send messages**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.12 Radios
+
+In the **Radios** area, you can choose which apps can turn a device's radio on or off.
+
+To turn off **Let apps control radios**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can control radios**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.13 Other devices
+
+In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
+
+To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
+
+- Turn off the feature in the UI.
+
+To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.14 Feedback & diagnostics
+
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+
+To change how frequently **Windows should ask for my feedback**:
+
+**Note**
+Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+
+
+
+- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
+
+ -or-
+
+- Create the registry keys (REG\_DWORD type):
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
+
+ Based on these settings:
+
+ | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod |
+ |---------------|-----------------------------|-----------------------------|
+ | Automatically | Delete the registry setting | Delete the registry setting |
+ | Never | 0 | 0 |
+ | Always | 100000000 | Delete the registry setting |
+ | Once a day | 864000000000 | 1 |
+ | Once a week | 6048000000000 | 1 |
+
+
+
+To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
+
+- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
+
+ > **Note:** You can't use the UI to change the telemetry level to **Security**.
+
+
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+
+ -or-
+
+- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+### 14.15 Background apps
+
+In the **Background Apps** area, you can choose which apps can run in the background.
+
+To turn off **Let apps run in the background**:
+
+- Turn off the feature in the UI for each app.
+
+### 15. Software Protection Platform
+
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
+
+**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
+
+The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+
+### 16. Sync your settings
+
+You can control if your settings are synchronized:
+
+- In the UI: **Settings** > **Accounts** > **Sync your settings**
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
+
+ -or-
+
+- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
+
+ - **No**. Settings are not synchronized.
+
+ - **Yes**. Settings are synchronized. (default)
+
+To turn off Messaging cloud sync:
+
+- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
+
+### 17. Teredo
+
+You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+
+- From an elevated command prompt, run **netsh interface teredo set state disabled**
+
+### 18. Wi-Fi Sense
+
+Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
+
+To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
+
+ -or-
+
+- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
+
+ -or-
+
+- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910).
+
+When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
+
+### 19. Windows Defender
+
+You can disconnect from the Microsoft Antimalware Protection Service.
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
+
+ -or-
+
+- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
+
+ -and-
+
+ From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0**
+
+You can stop sending file samples back to Microsoft.
+
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+
+ -or-
+
+- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Always prompt.
+
+ - **1**. (default) Send safe samples automatically.
+
+ - **2**. Never send.
+
+ - **3**. Send all samples automatically.
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
+
+You can stop downloading definition updates:
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+
+ -and-
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+
+You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
+
+### 20. Windows Media Player
+
+To remove Windows Media Player:
+
+- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
+
+ -or-
+
+- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+
+### 21. Windows spotlight
+
+Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
+
+- Configure the following in **Settings**:
+
+ - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
+
+ - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
+
+ - **System** > **Notifications & actions** > **Show me tips about Windows**.
+
+ -or-
+
+- Apply the Group Policies:
+
+ - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+ - Add a location in the **Path to local lock screen image** box.
+
+ - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
+
+ **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
+
+
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
+
+For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
+
+### 22. Windows Store
+
+You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
+
+### 23. Windows Update Delivery Optimization
+
+Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+
+By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+
+Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
+
+### 23.1 Settings > Update & security
+
+You can set up Delivery Optimization from the **Settings** UI.
+
+- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
+
+### 23.2 Delivery Optimization Group Policies
+
+You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
None. Turns off Delivery Optimization.
Group. Gets or sends updates and apps to PCs on the same local network domain.
Internet. Gets or sends updates and apps to PCs on the Internet.
LAN. Gets or sends updates and apps to PCs on the same NAT only.
|
+| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates. ** Note** This ID must be a GUID.|
+| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. The default value is 259200 seconds (3 days).|
+| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size. The default value is 20, which represents 20% of the disk.|
+| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. The default value is 0, which means unlimited possible bandwidth.|
+
+### 23.3 Delivery Optimization MDM policies
+
+The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
0. Turns off Delivery Optimization.
1. Gets or sends updates and apps to PCs on the same NAT only.
2. Gets or sends updates and apps to PCs on the same local network domain.
3. Gets or sends updates and apps to PCs on the Internet.
|
+| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates. **Note** This ID must be a GUID.|
+| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. The default value is 259200 seconds (3 days).|
+| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size. The default value is 20, which represents 20% of the disk.|
+| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. The default value is 0, which means unlimited possible bandwidth.|
+
+
+### 23.4 Delivery Optimization Windows Provisioning
+
+If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
+
+Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
+
+1. Open Windows ICD, and then click **New provisioning package**.
+
+2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
+
+3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
+
+4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
+
+For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
+
+### 24. Windows Update
+
+You can turn off Windows Update by setting the following registry entries:
+
+- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+ -and-
+
+- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+You can turn off automatic updates by doing one of the following. This is not recommended.
+
+- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
+
+ -or-
+
+- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Notify the user before downloading the update.
+
+ - **1**. Auto install the update and then notify the user to schedule a device restart.
+
+ - **2** (default). Auto install and restart.
+
+ - **3**. Auto install and restart at a specified time.
+
+ - **4**. Auto install and restart without end-user control.
+
+ - **5**. Turn off automatic updates.
+
+To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index bbfa571b02..901a3beb11 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -3,9 +3,10 @@ title: Manage corporate devices (Windows 10)
description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones.
ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
keywords: ["MDM", "device management"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: devices
author: jdeckerMS
---
diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md
index f011f4fcae..b44e4c4920 100644
--- a/windows/manage/manage-cortana-in-enterprise.md
+++ b/windows/manage/manage-cortana-in-enterprise.md
@@ -2,6 +2,9 @@
title: Cortana integration in your business or enterprise (Windows 10)
description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
ms.assetid: db7b05da-186f-4628-806a-f8b134e2af2c
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
author: eross-msft
---
diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md
index 0a364336aa..8535d16d65 100644
--- a/windows/manage/manage-inventory-windows-store-for-business.md
+++ b/windows/manage/manage-inventory-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Manage inventory in Windows Store for Business (Windows 10)
description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---
diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md
index d698699806..03d95f9433 100644
--- a/windows/manage/manage-orders-windows-store-for-business.md
+++ b/windows/manage/manage-orders-windows-store-for-business.md
@@ -1,9 +1,11 @@
---
title: Manage app orders in Windows Store for Business (Windows 10)
description: You can view your order history with Windows Store for Business.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
---
# Manage app orders in Windows Store for Business
diff --git a/windows/manage/manage-private-store-settings.md b/windows/manage/manage-private-store-settings.md
index 835535ff36..1eb1190a30 100644
--- a/windows/manage/manage-private-store-settings.md
+++ b/windows/manage/manage-private-store-settings.md
@@ -2,9 +2,10 @@
title: Manage private store settings (Windows 10)
description: The private store is a feature in the Windows Store for Business that organizations receive during the sign up process.
ms.assetid: 2D501538-0C6E-4408-948A-2BF5B05F7A0C
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/windows/manage/manage-settings-windows-store-for-business.md
index 488b0f26ab..04bd40016e 100644
--- a/windows/manage/manage-settings-windows-store-for-business.md
+++ b/windows/manage/manage-settings-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Manage settings for the Windows Store for Business (Windows 10)
description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/manage-users-and-groups-windows-store-for-business.md b/windows/manage/manage-users-and-groups-windows-store-for-business.md
index 8621faf1e6..42fb25bfa2 100644
--- a/windows/manage/manage-users-and-groups-windows-store-for-business.md
+++ b/windows/manage/manage-users-and-groups-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Manage user accounts in Windows Store for Business (Windows 10)
description: Windows Store for Business manages permissions with a set of roles. Currently, you can assign these roles to individuals in your organization, but not to groups.
ms.assetid: 5E7FA071-CABD-4ACA-8AAE-F549EFCE922F
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/manage/manage-wifi-sense-in-enterprise.md
index 58d0eadae7..172b930871 100644
--- a/windows/manage/manage-wifi-sense-in-enterprise.md
+++ b/windows/manage/manage-wifi-sense-in-enterprise.md
@@ -3,9 +3,10 @@ title: Manage Wi-Fi Sense in your company (Windows 10)
description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places.
ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271
keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connection"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: mobile
author: eross-msft
---
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
index 7bc7dd8224..2da6a7e615 100644
--- a/windows/manage/new-policies-for-windows-10.md
+++ b/windows/manage/new-policies-for-windows-10.md
@@ -3,7 +3,7 @@ title: New policies for Windows 10 (Windows 10)
description: Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1.
ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
keywords: ["MDM", "Group Policy"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/prerequisites-windows-store-for-business.md b/windows/manage/prerequisites-windows-store-for-business.md
index b3d9b02599..85f411ba17 100644
--- a/windows/manage/prerequisites-windows-store-for-business.md
+++ b/windows/manage/prerequisites-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Prerequisites for Windows Store for Business (Windows 10)
description: There are a few prerequisites for using Windows Store for Business.
ms.assetid: CEBC6870-FFDD-48AD-8650-8B0DC6B2651D
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/manage/product-ids-in-windows-10-mobile.md
index 0dcbc397eb..f1e1f9a3e3 100644
--- a/windows/manage/product-ids-in-windows-10-mobile.md
+++ b/windows/manage/product-ids-in-windows-10-mobile.md
@@ -3,9 +3,10 @@ title: Product IDs in Windows 10 Mobile (Windows 10)
description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C
keywords: ["lockdown"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: mobile
author: jdeckerMS
---
diff --git a/windows/manage/reset-a-windows-10-mobile-device.md b/windows/manage/reset-a-windows-10-mobile-device.md
index 40b79a96a5..f9b0a026b4 100644
--- a/windows/manage/reset-a-windows-10-mobile-device.md
+++ b/windows/manage/reset-a-windows-10-mobile-device.md
@@ -2,9 +2,10 @@
title: Reset a Windows 10 Mobile device (Windows 10)
description: There are two methods for resetting a Windows 10 Mobile device factory reset and \ 0034;wipe and persist \ 0034; reset.
ms.assetid: B42A71F4-DFEE-4D6E-A904-7942D1AAB73F
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: mobile
author: jdeckerMS
---
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md
index fae343dfca..4fbfcc521e 100644
--- a/windows/manage/roles-and-permissions-windows-store-for-business.md
+++ b/windows/manage/roles-and-permissions-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Roles and permissions in Windows Store for Business (Windows 10)
description: The first person to sign in to Windows Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md
index cc81d0801d..156c44901a 100644
--- a/windows/manage/set-up-a-device-for-anyone-to-use.md
+++ b/windows/manage/set-up-a-device-for-anyone-to-use.md
@@ -3,7 +3,7 @@ title: Set up a device for anyone to use (kiosk mode) (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 55945ea84b..c9e33cfcf9 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -3,7 +3,7 @@ title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
keywords: ["assigned access", "kiosk", "lockdown"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
@@ -289,76 +289,84 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici
Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```
- $COMPUTER = “localhost”
- $NAMESPACE = “root\standardcimv2\embedded”
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
- # Create a handle to the class instance so we can call the static methods.
- $ShellLauncherClass = [wmiclass]”\\$COMPUTER\${NAMESPACE}:WESL_UserSetting”
+# Create a handle to the class instance so we can call the static methods.
+$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
- # This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
+# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
- $Admins_SID = “S-1-5-32-544”
+$Admins_SID = "S-1-5-32-544"
- # Create a function to retrieve the SID for a user account on a machine.
+# Create a function to retrieve the SID for a user account on a machine.
- function Get-UsernameSID($AccountName) {
+function Get-UsernameSID($AccountName) {
- $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
- $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
- return $NTUserSID.Value
+ return $NTUserSID.Value
- }
+}
- # Get the SID for a user account named “Cashier”. Rename “Cashier” to an existing account on your system to test this script.
+# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
- $Cashier_SID = Get-UsernameSID(“Cashier”)
+$Cashier_SID = Get-UsernameSID("Cashier")
- # Define actions to take when the shell program exits.
+# Define actions to take when the shell program exits.
- $restart_shell = 0
- $restart_device = 1
- $shutdown_device = 2
+$restart_shell = 0
+$restart_device = 1
+$shutdown_device = 2
- # Examples. You can change these examples to use the program that you want to use as the shell.
+# Examples. You can change these examples to use the program that you want to use as the shell.
- # This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
+# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
- $ShellLauncherClass.SetDefaultShell(“cmd.exe”, $restart_device)
+$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
- # Display the default shell to verify that it was added correctly.
+# Display the default shell to verify that it was added correctly.
- $DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
+$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
- “`nDefault Shell is set to “ + $DefaultShellObject.Shell + “ and the default action is set to “ + $DefaultShellObject.defaultaction
+"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
- # Set Internet Explorer as the shell for “Cashier”, and restart the machine if Internet Explorer is closed.
+# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
- $ShellLauncherClass.SetCustomShell($Cashier_SID, “c:\program files\internet explorer\iexplore.exe www.microsoft.com”, ($null), ($null), $restart_shell)
+$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
- # Set Explorer as the shell for administrators.
+# Set Explorer as the shell for administrators.
- $ShellLauncherClass.SetCustomShell($Admins_SID, “explorer.exe”)
+$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
- # View all the custom shells defined.
+# View all the custom shells defined.
- “`nCurrent settings for custom shells:”
- Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
+"`nCurrent settings for custom shells:"
+Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
- # Enable Shell Launcher
+# Enable Shell Launcher
- $ShellLauncherClass.SetEnabled($TRUE)
+$ShellLauncherClass.SetEnabled($TRUE)
- $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
- “`nEnabled is set to “ + $IsShellLauncherEnabled.Enabled
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
- # Remove the new custom shells.
+# Remove the new custom shells.
- $ShellLauncherClass.RemoveCustomShell($Admins_SID)
+$ShellLauncherClass.RemoveCustomShell($Admins_SID)
- $ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+
+# Disable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($FALSE)
+
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## Related topics
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index bc918aae23..53f2403397 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -2,10 +2,11 @@
title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10)
description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
-keywords: ["kiosk", "lockdown", "assigned access"]
-ms.prod: W10
+keywords: kiosk, lockdown, assigned access
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: mobile
author: jdeckerMS
---
diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md
index b3b1cf9083..283e512bd4 100644
--- a/windows/manage/settings-reference-windows-store-for-business.md
+++ b/windows/manage/settings-reference-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Settings reference Windows Store for Business (Windows 10)
description: The Windows Store for Business has a group of settings that admins use to manage the store.
ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md
index 09b88d9160..a58bf463c0 100644
--- a/windows/manage/settings-that-can-be-locked-down.md
+++ b/windows/manage/settings-that-can-be-locked-down.md
@@ -3,9 +3,10 @@ title: Settings and quick actions that can be locked down in Windows 10 Mobile (
description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
keywords: ["lockdown"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: mobile
author: jdeckerMS
---
diff --git a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
index 45cf03f80d..71deb2dedb 100644
--- a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
@@ -2,9 +2,10 @@
title: Sign code integrity policy with Device Guard signing (Windows 10)
description: Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.
ms.assetid: 63B56B8B-2A40-44B5-B100-DC50C43D20A9
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store, security
author: TrudyHa
---
diff --git a/windows/manage/sign-up-windows-store-for-business-overview.md b/windows/manage/sign-up-windows-store-for-business-overview.md
index 382b317a88..93c2e85ad1 100644
--- a/windows/manage/sign-up-windows-store-for-business-overview.md
+++ b/windows/manage/sign-up-windows-store-for-business-overview.md
@@ -2,9 +2,10 @@
title: Sign up and get started (Windows 10)
description: IT admins can sign up for the Windows Store for Business, and get started working with apps.
ms.assetid: 87C6FA60-3AB9-4152-A85C-6A1588A20C7B
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/sign-up-windows-store-for-business.md b/windows/manage/sign-up-windows-store-for-business.md
index bbbb7df639..89ca4e135b 100644
--- a/windows/manage/sign-up-windows-store-for-business.md
+++ b/windows/manage/sign-up-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Sign up for Windows Store for Business (Windows 10)
description: Before you sign up for Windows Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization.
ms.assetid: 296AAC02-5C79-4999-B221-4F5F8CEA1F12
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md
index a8e3f58f0b..dabf676bf5 100644
--- a/windows/manage/stop-employees-from-using-the-windows-store.md
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@@ -2,9 +2,10 @@
title: Configure access to Windows Store (Windows 10)
description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store, mobile
author: TrudyHa
---
diff --git a/windows/manage/troubleshoot-windows-store-for-business.md b/windows/manage/troubleshoot-windows-store-for-business.md
index 0c9404bb5a..e2653436b7 100644
--- a/windows/manage/troubleshoot-windows-store-for-business.md
+++ b/windows/manage/troubleshoot-windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Troubleshoot Windows Store for Business (Windows 10)
description: Troubleshooting topics for Windows Store for Business.
ms.assetid: 243755A3-9B20-4032-9A77-2207320A242A
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
@@ -31,24 +32,28 @@ The private store for your organization is a page in the Windows Store app that
1. Click the people icon in Windows Store app, and click **Sign in**.
- 
+ 
2. Click **Add account**, and then click **Work or school account**.
- 
+ 
3. Type the email account and password, and click **Sign in**.
- 
+ 
4. You should see the private store for your organization. In our example, the page is named **Contoso publishing**.
- 
+ 
Click the private store to see apps in your private store.
- 
+ 
+## Still having trouble?
+
+If you are still having trouble using WSfB or installing the app, you can get more help on our [Support page](http://go.microsoft.com/fwlink/?LinkID=799757).
+
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
index 0150a4f7e4..2870bbda8a 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -1,9 +1,10 @@
---
title: Update Windows Store for Business account settings (Windows 10)
description: The Account information page in Windows Store for Business shows information about your organization that you can update, including country or region, organization name, default domain, and language preference.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index a818238913..3053aedc09 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -3,10 +3,10 @@ title: Windows 10 Mobile and mobile device management (Windows 10)
description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system.
ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E
keywords: telemetry, BYOD, MDM
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: mobile; devices
+ms.pagetype: mobile, devices, security
author: AMeeus
---
@@ -373,6 +373,7 @@ Windows 10 Mobile devices use state-of-the-art technology that includes popular
>**Note:** Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs.
Table 7. Windows 10 Mobile hardware restrictions
+
| Setting | Description |
|--------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
| Allow NFC | Whether the NFC radio is enabled |
@@ -1058,7 +1059,7 @@ Table 20. Windows 10 Mobile Enterprise update management settings
Nonsecurity upgrades deferred
-
Whether nonsecurity upgrades are deferred (You can defer upgrades up to 8 months.)
+
Whether nonsecurity upgrades are deferred (You can defer upgrades up to 4 weeks.)
Pause update deferrals
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index 5a0c3eadfe..34e40d5095 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -3,7 +3,7 @@ title: Manage Windows 10 Start layout options (Windows 10)
description: Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
keywords: ["start screen", "start menu"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/windows-store-for-business.md b/windows/manage/windows-store-for-business.md
index b718c7ace7..d3a4044273 100644
--- a/windows/manage/windows-store-for-business.md
+++ b/windows/manage/windows-store-for-business.md
@@ -2,9 +2,10 @@
title: Windows Store for Business (Windows 10)
description: Welcome to the Windows Store for Business You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.
ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md
index 2700a1f83a..f780a06748 100644
--- a/windows/manage/working-with-line-of-business-apps.md
+++ b/windows/manage/working-with-line-of-business-apps.md
@@ -2,9 +2,10 @@
title: Working with line-of-business apps (Windows 10)
description: Your company can make line-of-business (LOB) applications available through Windows Store for Business. These apps are custom to your company – they might be internal business apps, or apps specific to your business or industry.
ms.assetid: 95EB7085-335A-447B-84BA-39C26AEB5AC7
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+ms.pagetype: store
author: TrudyHa
---
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index a188d6d0a1..d6212238a6 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -7,9 +7,6 @@
## [Windows Update for Business](windows-update-for-business.md)
### [Setup and deployment](setup-and-deployment.md)
### [Integration with management solutions](integration-with-management-solutions-.md)
-## [Guidance for education environments](windows-10-guidance-for-education-environments.md)
-### [Chromebook migration guide](chromebook-migration-guide.md)
-### [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Windows To Go: feature overview](windows-to-go-overview.md)
### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md
index 9504345b46..12773fdd7e 100644
--- a/windows/plan/chromebook-migration-guide.md
+++ b/windows/plan/chromebook-migration-guide.md
@@ -1,6 +1,7 @@
---
title: Chromebook migration guide (Windows 10)
description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
+redirect_url: https://technet.microsoft.com/edu/windows/chromebook-migration-guide
ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
keywords: migrate, automate, device
ms.prod: w10
diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md
index f1ba01d1a5..dd53f66282 100644
--- a/windows/plan/deploy-windows-10-in-a-school.md
+++ b/windows/plan/deploy-windows-10-in-a-school.md
@@ -1,6 +1,7 @@
---
title: Deploy Windows 10 in a school (Windows 10)
description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
+redirect_url: https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school
keywords: configure, tools, device, school
ms.prod: w10
ms.mktglfcycl: plan
diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md
index da2f4412e7..5ef6884c18 100644
--- a/windows/plan/deployment-considerations-for-windows-to-go.md
+++ b/windows/plan/deployment-considerations-for-windows-to-go.md
@@ -3,7 +3,7 @@ title: Deployment considerations for Windows To Go (Windows 10)
description: Deployment considerations for Windows To Go
ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
keywords: deploy, mobile, device, USB, boot, image, workspace, driver
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library
diff --git a/windows/plan/index.md b/windows/plan/index.md
index a82ad27fb5..e57a04c1cb 100644
--- a/windows/plan/index.md
+++ b/windows/plan/index.md
@@ -21,7 +21,6 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
|[Windows Update for Business](windows-update-for-business.md) |Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. |
-|[Guidance for education environments](windows-10-guidance-for-education-environments.md) |Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. |
|[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. |
|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md
index 599ac55e24..f4ce0e1a32 100644
--- a/windows/plan/windows-10-guidance-for-education-environments.md
+++ b/windows/plan/windows-10-guidance-for-education-environments.md
@@ -1,6 +1,7 @@
---
title: Guidance for education environments (Windows 10)
description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions.
+redirect_url: https://technet.microsoft.com/edu/windows/index
ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E
ms.prod: w10
ms.mktglfcycl: plan
diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md
index 355d16bacc..1c14abc6dc 100644
--- a/windows/whats-new/applocker.md
+++ b/windows/whats-new/applocker.md
@@ -2,7 +2,7 @@
title: What's new in AppLocker (Windows 10)
description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F
-ms.pagetype: security
+ms.pagetype: security, mobile
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md
index 99353d9d7b..4e9d0f7b61 100644
--- a/windows/whats-new/bitlocker.md
+++ b/windows/whats-new/bitlocker.md
@@ -5,7 +5,7 @@ ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: security, mobile
author: brianlic-msft
---
diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md
index 669cdadb48..ed8847ee60 100644
--- a/windows/whats-new/device-guard-overview.md
+++ b/windows/whats-new/device-guard-overview.md
@@ -2,7 +2,7 @@
title: Device Guard overview (Windows 10)
description: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2
-ms.pagetype: security
+ms.pagetype: mobile, security
keywords: Device Guard
ms.prod: w10
ms.mktglfcycl: explore
diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md
index ab7d69d78f..9370b6beb5 100644
--- a/windows/whats-new/edge-ie11-whats-new-overview.md
+++ b/windows/whats-new/edge-ie11-whats-new-overview.md
@@ -5,6 +5,7 @@ ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: mobile
author: eross-msft
---
diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md
index 696556b54d..cc29c76faa 100644
--- a/windows/whats-new/edp-whats-new-overview.md
+++ b/windows/whats-new/edp-whats-new-overview.md
@@ -6,7 +6,7 @@ keywords: EDP Overview, EDP
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: mobile, security
author: eross-msft
---
diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md
index 2c49406384..0165451cb8 100644
--- a/windows/whats-new/microsoft-passport.md
+++ b/windows/whats-new/microsoft-passport.md
@@ -6,7 +6,7 @@ keywords: password, hello, fingerprint, iris, biometric
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: mobile, security
author: jdeckerMS
---
diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md
index 9a0d03ddeb..1cdff3fc09 100644
--- a/windows/whats-new/new-provisioning-packages.md
+++ b/windows/whats-new/new-provisioning-packages.md
@@ -5,6 +5,7 @@ ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.pagetype: mobile
author: jdeckerMS
---
diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md
index 26276b5e0a..15350dc9c4 100644
--- a/windows/whats-new/security-auditing.md
+++ b/windows/whats-new/security-auditing.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
-ms.pagetype: security
+ms.pagetype: security, mobile
---
# What's new in security auditing?
diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md
index bbf7d88d6b..9937fada56 100644
--- a/windows/whats-new/trusted-platform-module.md
+++ b/windows/whats-new/trusted-platform-module.md
@@ -5,7 +5,7 @@ ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
-ms.pagetype: security
+ms.pagetype: security, mobile
author: brianlic-msft
---
diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md
index ca022e0b5d..e1934201c2 100644
--- a/windows/whats-new/windows-store-for-business-overview.md
+++ b/windows/whats-new/windows-store-for-business-overview.md
@@ -3,7 +3,7 @@ title: Windows Store for Business overview (Windows 10)
description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps.
ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
ms.prod: w10
-ms.pagetype: store
+ms.pagetype: store, mobile
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows Event Log service has shut down.
+
+It also generates during normal system shutdown.
+
+This event doesn’t generate during emergency system reset.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows Security audit log was cleared.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows security log becomes full.
+
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows security log becomes full and new event log file was created.
+
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx)”.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates when event logging service encountered an error while processing an incoming event.
+
+It typically generates when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.
+
+For example, event 1108 might be generated after an incorrect [4703](event-4703.md) event:
+
+
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+## Security Monitoring Recommendations
+
+For 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
+
+- We recommend monitoring for all events of this type and checking what the cause of the error was.
+
diff --git a/windows/keep-secure/event-4608.md b/windows/keep-secure/event-4608.md
new file mode 100644
index 0000000000..92e9691726
--- /dev/null
+++ b/windows/keep-secure/event-4608.md
@@ -0,0 +1,67 @@
+---
+title: 4608(S) Windows is starting up. (Windows 10)
+description: Describes security event 4608(S) Windows is starting up.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4608(S): Windows is starting up.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Description:***
+
+This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized.
+
+It typically generates during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
+
+Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event indicates that a logon process has registered with the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)). Also, logon requests will now be accepted from this source.
+
+At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
+
+A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).
+
+You typically see these events during operating system startup or user logon and authentication actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time a Notification Package has been loaded by the [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx).
+
+In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx).
+
+Password Filters are DLLs that are loaded or called when passwords are set or changed.
+
+Each time a system starts, it loads the notification package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages** registry value and performs the initialization sequence for every package.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Description:***
+
+This event generates every time system time was changed.
+
+This event is always logged regardless of the "Audit Security State Change" sub-category setting.
+
+You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Name** \[Type = UnicodeString\] \[Version 1\]**:** full path and the name of the executable for the process.
+
+**Previous Time** \[Type = FILETIME\]: previous time in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
+
+- Y - years
+
+- M - months
+
+- D - days
+
+- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
+
+- h - hours
+
+- m - minutes
+
+- s - seconds
+
+- n - fractional seconds
+
+- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
+
+**New Time** \[Type = FILETIME\]: new time that was set in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
+
+- Y - years
+
+- M - months
+
+- D - days
+
+- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
+
+- h - hours
+
+- m - minutes
+
+- s - seconds
+
+- n - fractional seconds
+
+- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
+
+## Security Monitoring Recommendations
+
+For 4616(S): The system time was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service.
+
+- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made not by Windows Time service.
+
+
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4618.md b/windows/keep-secure/event-4618.md
new file mode 100644
index 0000000000..e9b106a0b3
--- /dev/null
+++ b/windows/keep-secure/event-4618.md
@@ -0,0 +1,97 @@
+---
+title: 4618(S) A monitored security event pattern has occurred. (Windows 10)
+description: Describes security event 4618(S) A monitored security event pattern has occurred.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4618(S): A monitored security event pattern has occurred.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+This event can be generated (invoked) only externally using the following command:
+
+**%windir%\\system32\\rundll32 %windir%\\system32\\authz.dll,AuthziGenerateAdminAlertAudit OrgEventId ComputerName UserSid UserName UserDomain UserLogonId EventCount Duration**
+
+Account must have **SeAuditPrivilege** (Generate security audits) to be able to generate this event.
+
+- **UserSid** is resolved when viewing the event in event viewer.
+
+- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
+
+- If a field doesn’t match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.)
+
+- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
+
+- Parameters are space delimited, even if a parameter is enclosed in double-quotes.
+
+- Here are the expected data types for the parameters:
+
+| Parameter | Expected Data Type |
+|--------------|--------------------------------------------------|
+| OrgEventID | Ulong |
+| ComputerName | String |
+| UserSid | SID (in string format) |
+| UserName | String |
+| UserDomain | String |
+| UserLogonID | Luid (a ULongLong converted to Hex in the event) |
+| EventCount | Ulong |
+| Duration | String |
+
+
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time [Security Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380501(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
+
+Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
+
+Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
+
+It is also possible to add security package dynamically using [AddSecurityPackage](https://msdn.microsoft.com/en-us/library/windows/desktop/dd401506(v=vs.85).aspx) function, not only during system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
+
+It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User/Device Claims](audit-user-device-claims.md)
+
+***Event Description:***
+
+This event generates for new account logons and contains user/device claims which were associated with a new logon session.
+
+This event does not generate if the user/device doesn’t have claims.
+
+For computer account logons you will also see device claims listed in the “**User Claims**” field.
+
+You will typically get “[4624](event-4624.md): An account was successfully logged on” and after it a 4626 event with the same information in **Subject**, **Logon Type** and **New Logon** sections.
+
+This event generates on the computer to which the logon was performed (target computer). For example, for Interactive logons it will be the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Group Membership](audit-group-membership.md)
+
+***Event Description:***
+
+This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
+
+You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event.
+
+Multiple events are generated if the group membership information cannot fit in a single security audit event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Logoff](audit-logoff.md)
+
+***Event Description:***
+
+This event shows that logon session was terminated and no longer exists.
+
+The main difference between “[4647](event-4647.md): User initiated logoff.” and 4647 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
+
+4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
+
+It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Logoff](audit-logoff.md)
+
+***Event Description:***
+
+This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
+
+The main difference with “[4634](event-4634.md)(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
+
+4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
+
+It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
+
+This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
+
+It is also a routine event which periodically occurs during normal operating system activity.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+If access was declined, a Failure event is generated.
+
+This event generates only if the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has the required ACE to handle the use of specific access rights.
+
+This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+***Event XML***:
+```
+- 
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+ 
+
+***Subcategory:*** [Audit Registry](audit-registry.md)
+
+***Event Description:***
+
+This event generates when a registry key ***value*** was modified. It doesn’t generate when a registry key was modified.
+
+This event generates only if “Set Value" auditing is set in registry key’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Handle Manipulation](audit-handle-manipulation.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+This event generates only if Success auditing is enabled for [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
+
+Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), and [Audit Registry](audit-registry.md)
+
+***Event Description:***
+
+This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
+
+This event generates only if “Delete" auditing is set in object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+This event doesn’t contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion.
+
+The advantage of this event is that it’s generated only during real delete operations. In contrast, “4663(S): An attempt was made to access an object” also generates during other actions, such as object renaming.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit Directory Service Access](audit-directory-service-access.md) and [Audit SAM](audit-sam.md)
+
+***Event Description:***
+
+This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.
+
+If access was declined, then Failure event is generated.
+
+This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Directory Service Access](audit-directory-service-access.md)
+
+***Event Description:***
+
+This event generates every time when an operation was performed on an Active Directory object.
+
+This event generates only if appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was set for Active Directory object and performed operation meets this SACL.
+
+If operation failed then Failure event will be generated.
+
+You will get one 4662 for each operation type which was performed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here: 
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+This event generates only if object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has required ACE to handle specific access right use.
+
+The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit File System](audit-file-system.md)
+
+***Event Description:***
+
+This event generates when an NTFS hard link was successfully created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Registry](audit-registry.md), [Audit Authentication Policy Change](audit-authentication-policy-change.md), and [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
+
+This event does not generate if the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (Auditing ACL) was changed.
+
+Before this event can generate, certain ACEs might need to be set in the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+
+***Event Description:***
+
+This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:
+
+- SeTcbPrivilege - Act as part of the operating system
+
+- SeBackupPrivilege - Back up files and directories
+
+- SeCreateTokenPrivilege - Create a token object
+
+- SeDebugPrivilege - Debug programs
+
+- SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation
+
+- SeAuditPrivilege - Generate security audits
+
+- SeImpersonatePrivilege - Impersonate a client after authentication
+
+- SeLoadDriverPrivilege - Load and unload device drivers
+
+- SeSecurityPrivilege - Manage auditing and security log
+
+- SeSystemEnvironmentPrivilege - Modify firmware environment values
+
+- SeAssignPrimaryTokenPrivilege - Replace a process-level token
+
+- SeRestorePrivilege - Restore files and directories,
+
+- SeTakeOwnershipPrivilege - Take ownership of files or other objects
+
+You typically will see many of these events in the event log, because every logon of SYSTEM (Local System) account triggers this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This event generates when an attempt was made to perform privileged system service operations.
+
+This event generates, for example, when **SeSystemtimePrivilege**, **SeCreateGlobalPrivilege**, or **SeTcbPrivilege** privilege was used.
+
+Failure event generates when service call attempt fails.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
+
+This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.
+
+Failure event generates when operation attempt fails.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
+
+***Event Description:***
+
+This event generates every time a new process starts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+ By default **Process Command Line** field is empty.
+
+## Security Monitoring Recommendations
+
+For 4688(S): A new process has been created.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
+
+***Subcategory:*** [Audit Process Termination](audit-process-termination.md)
+
+***Event Description:***
+
+This event generates every time a process has exited.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Handle Manipulation](audit-handle-manipulation.md)
+
+***Event Description:***
+
+This event generates if an attempt was made to duplicate a handle to an object.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event indicates that indirect access to an object was requested.
+
+These events are generated for [ALPC Ports](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964738(v=vs.85).aspx) access request actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Description:***
+
+This event generates every time that a backup is attempted for the [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key.
+
+When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
+
+Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
+
+This event also generates every time a new DPAPI Master Key is generated, for example.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Failure event generates when a Master Key backup operation fails for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Description:***
+
+This event generates every time that recovery is attempted for a [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key.
+
+While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Failure event generates when a Master Key restore operation fails for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
+
+***Event Description:***
+
+This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.
+
+***IMPORTANT*:** this event is deprecated starting from Windows 7 and Windows 2008 R2.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates when new service was installed in the system.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Service File Name** \[Type = UnicodeString\]: This is the fully rooted path to the file that the Service Control Manager will execute to start the service. If command-line parameters are specified as part of the image path, those are logged.
+
+ Note that this is the path to the file when the service is created. If the path is changed afterwards, the change is not logged. This would have to be tracked via Process Create events.
+
+- **Service Type** \[Type = HexInt32\]: Indicates the [type](https://msdn.microsoft.com/en-us/library/tfdtdw0e(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following:
+
+| Value | Service Type | Description |
+|-------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x1 | Kernel Driver | A Kernel device driver such as a hard disk or other low-level hardware device driver. |
+| 0x2 | File System Driver | A file system driver, which is also a Kernel device driver. |
+| 0x8 | Recognizer Driver | A file system driver used during startup to determine the file systems present on the system. |
+| 0x10 | Win32 Own Process | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
+| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a new scheduled task is created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx).”
+
+## Security Monitoring Recommendations
+
+For 4698(S): A scheduled task was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring all scheduled task creation events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
+
+- Monitor for new tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
+
+- In the new task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
+
diff --git a/windows/keep-secure/event-4699.md b/windows/keep-secure/event-4699.md
new file mode 100644
index 0000000000..a1c58890d6
--- /dev/null
+++ b/windows/keep-secure/event-4699.md
@@ -0,0 +1,110 @@
+---
+title: 4699(S) A scheduled task was deleted. (Windows 10)
+description: Describes security event 4699(S) A scheduled task was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4699(S): A scheduled task was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task was deleted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task is enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task is disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time scheduled task was updated/changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+Token privileges provide the ability to take certain system-level actions that you only need to do at particular moments. For example, anybody can restart a computer, but the operating system doesn’t enable that privilege by default. Instead, the privilege is enabled when you click **Shutdown**. You can check the current state of the user’s token privileges using the **whoami /priv** command:
+
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local user right policy is changed and user right was assigned to an account.
+
+You will see unique event for every user.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local user right policy is changed and user right was removed from an account.
+
+You will see unique event for every user.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when a new trust was created to a domain.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when a domain trust was removed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when [Kerberos policy](https://technet.microsoft.com/en-us/library/cc782061(v=ws.10).aspx) was changed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+## Security Monitoring Recommendations
+
+For 4713(S): Kerberos policy was changed.
+
+- Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4714.md b/windows/keep-secure/event-4714.md
new file mode 100644
index 0000000000..0531957676
--- /dev/null
+++ b/windows/keep-secure/event-4714.md
@@ -0,0 +1,73 @@
+---
+title: 4714(S) Encrypted data recovery policy was changed. (Windows 10)
+description: Describes security event 4714(S) Encrypted data recovery policy was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4714(S): Encrypted data recovery policy was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](https://technet.microsoft.com/en-us/library/cc700811.aspx)) has changed.
+
+This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](https://technet.microsoft.com/en-us/library/cc778208(v=ws.10).aspx) was changed for the computer or device.
+
+In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](https://msdn.microsoft.com/en-us/library/cc232284.aspx) registry value is changed during a Group Policy update.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local audit policy security descriptor changes.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when the trust was modified.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was granted to an account.
+
+You will see unique event for every user if logon user rights were granted to multiple accounts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was removed from an account.
+
+You will see unique event for every user if logon user rights were removed for multiple accounts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the computer's audit policy changes.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Changes:** changes which were made for **“Subcategory”**. Possible values:
+
+ - Success removed
+
+ - Failure removed
+
+ - Success added
+
+ - Failure added
+
+ It can be also a combination of any of the items above, separated by coma.
+
+## Security Monitoring Recommendations
+
+For 4719(S): System audit policy was changed.
+
+- Monitor for all events of this type, especially on high value assets or computers, because any change in local audit policy should be planned. If this action was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4720.md b/windows/keep-secure/event-4720.md
new file mode 100644
index 0000000000..157b9b01a3
--- /dev/null
+++ b/windows/keep-secure/event-4720.md
@@ -0,0 +1,288 @@
+---
+title: 4720(S) A user account was created. (Windows 10)
+description: Describes security event 4720(S) A user account was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4720(S): A user account was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a new user object is created.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user or computer object is enabled.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user attempts to change his or her password.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For domain accounts, a Failure event generates if new password fails to meet the password policy.
+
+For local accounts, a Failure event generates if new password fails to meet the password policy or old password is wrong.
+
+For domain accounts if old password was wrong, then “[4771](event-4771.md): Kerberos pre-authentication failed” or “[4776](event-4776.md): The computer attempted to validate the credentials for an account” will be generated on domain controller if specific subcategories were enabled on it.
+
+Typically you will see 4723 events with the same **Subject\\Security ID** and **Target Account\\Security ID** fields, which is normal behavior.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time an account attempted to reset the password for another account.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For domain accounts, a Failure event generates if the new password fails to meet the password policy.
+
+A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.
+
+This event also generates if a computer account reset procedure was performed.
+
+For local accounts, a Failure event generates if the new password fails to meet the local password policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user or computer object is disabled.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user object was deleted.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new security-enabled (security) local group was created.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new member was added to a security-enabled (security) local group.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For every added member you will get separate 4732 event.
+
+You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4732 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time member was removed from security-enabled (security) local group.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For every removed member you will get separate 4733 event.
+
+You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4733 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-enabled (security) local group is deleted.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a security-enabled (security) local group is changed.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in group account properties.
+
+If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
+
+If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
+
+From 4735 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user object is changed.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For each change, a separate 4738 event will be generated.
+
+You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
+
+Some changes do not invoke a 4738 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when one of the following changes was made to local computer security policy:
+
+- Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified.
+
+- Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified.
+
+- "Network security: Force logoff when logon hours expire" group policy setting was changed.
+
+- Domain functional level was changed or some other attributes changed (see details in event description).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user account is locked out.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a new computer object is created.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a computer object is changed.
+
+This event generates only on domain controllers.
+
+You might see the same values for **Subject**\\**Security ID** and **Computer Account That Was Changed**\\**Security ID** in this event. This usually happens when you reboot a computer after adding it to the domain (the change takes effect after the reboot).
+
+For each change, a separate 4742 event will be generated.
+
+Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
+
+You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
+
+***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a computer object is deleted.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new security-disabled (distribution) global group was created.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-disabled (distribution) global group is changed.
+
+This event generates only on domain controllers.
+
+Some changes do not invoke a 4750 event, for example, changes made using the Active Directory Users and Computers management console in **Managed By** tab in group account properties.
+
+If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
+
+If you change the group type, you get a change event from the new group type auditing subcategory instead of 4750. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
+
+From 4750 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new member was added to a security-disabled (distribution) global group.
+
+This event generates only on domain controllers.
+
+For every added member you will get separate 4751 event.
+
+You will typically see “[4750](event-4750.md): A security-disabled global group was changed.” event without any changes in it prior to 4751 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time member was removed from the security-disabled (distribution) global group.
+
+This event generates only on domain controllers.
+
+For every removed member you will get separate 4752 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-disabled (distribution) global group is deleted.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time group’s type is changed.
+
+This event generates for both security and distribution groups.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user account is unlocked.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+***Event Description:***
+
+This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
+
+This event generates only on domain controllers.
+
+If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
+
+This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+***Event Description:***
+
+This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request.
+
+This event generates only on domain controllers.
+
+If TGS issue fails then you will see Failure event with **Failure Code** field not equal to “**0x0**”.
+
+You will typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+***Event Description:***
+
+This event generates for every Ticket Granting Service (TGS) ticket renewal.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+***Event Description:***
+
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+
+This event generates only on domain controllers.
+
+This event is not generated if “Do not require Kerberos preauthentication” option is set for the account.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
+
+***Event Description:***
+
+This event generates every time that a credential validation occurs using NTLM authentication.
+
+This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
+
+It shows successful and unsuccessful credential validation attempts.
+
+It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) is not presented in this event.
+
+If a credential validation attempt fails, you will see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
+
+The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
+
+For monitoring local account logon attempts, it is better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
+
+This event also generates when a workstation unlock event occurs.
+
+This event does *not* generate when a domain account logs on locally to a domain controller.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+
+This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+**Additional Information:**
+
+- **Client Name** \[Type = UnicodeString\]: computer name from which the user was reconnected. Has “**Unknown”** value for console session.
+
+- **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the user was reconnected.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+ - Has “**LOCAL**” value for console session.
+
+## Security Monitoring Recommendations
+
+For 4778(S): A session was reconnected to a Window Station.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+
+This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user or computer account name (**sAMAccountName** attribute) is changed.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+***Event Description:***
+
+This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx).
+
+Typically **“Subject\\Security ID”** is the SYSTEM account.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+***Event Description:***
+
+This event generates each time the [Password Policy Checking API](https://msdn.microsoft.com/en-us/library/aa370661(VS.85).aspx) is called.
+
+The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
+
+This event, for example, generates during Directory Services Restore Mode ([DSRM](http://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password.
+
+This event generates on the computer where Password Policy Checking API was called.
+
+Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many 4793 events on a SQL Server.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates when a process enumerates a user's security-enabled local groups on a computer or device.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates when a process enumerates the members of a security-enabled local group on the computer or device.
+
+This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a workstation was locked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when workstation was unlocked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when screen saver was invoked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when screen saver was dismissed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the [Global Object Access Auditing](https://technet.microsoft.com/en-us/library/dd772630(v=ws.10).aspx) policy is changed on a computer.
+
+Separate events will be generated for “Registry” and “File system” policy changes.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Central Policy Staging](audit-central-access-policy-staging.md)
+
+***Event Description:***
+
+This event generates when Dynamic Access Control Proposed [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) is enabled and access was not granted by Proposed Central Access Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates when [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on the machine have been changed.
+
+For example, it generates when a new [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) was applied to the machine via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time system starts and load current [Boot Configuration Data](https://msdn.microsoft.com/en-us/library/windows/hardware/dn653287(v=vs.85).aspx) (BCD) settings.
+
+This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when new trusted forest information entry was added.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when the trusted forest information entry was removed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates the trusted forest information entry was modified.
+
+This event is generated only on domain controllers.
+
+This event contains new values only, it doesn’t contains old values and it doesn’t show you which trust attributes were modified.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates during system startup if Per-user audit policy is defined on the computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+**Policy ID** \[Type = HexInt64\]: unique per-User Audit Policy hexadecimal identifier.
+
+## Security Monitoring Recommendations
+
+For 4902(S): The Per-user audit policy table was created.
+
+- If you don’t expect to see any per-User Audit Policies enabled on specific computers (**Computer**), monitor for these events.
+
+- If you don’t use per-User Audit Policies in your network, monitor for these events.
+
+- Typically this is an informational event and has little to no security relevance.
+
diff --git a/windows/keep-secure/event-4904.md b/windows/keep-secure/event-4904.md
new file mode 100644
index 0000000000..85d903d952
--- /dev/null
+++ b/windows/keep-secure/event-4904.md
@@ -0,0 +1,132 @@
+---
+title: 4904(S) An attempt was made to register a security event source. (Windows 10)
+description: Describes security event 4904(S) An attempt was made to register a security event source.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4904(S): An attempt was made to register a security event source.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time a new [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is registered.
+
+You can typically see this event during system startup, if specific roles (Internet Information Services, for example) are installed in the system.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time a [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is unregistered.
+
+You typically see this event if specific roles were removed, for example, Internet Information Services.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time **CrashOnAuditFail** audit flag value was modified.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+More information about **CrashOnAuditFail** flag can be found [here](https://technet.microsoft.com/en-us/library/cc963220.aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) of an object (for example, a registry key or file) was changed.
+
+This event doesn't generate for Active Directory objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Special Groups logon table was modified.
+
+This event also generates during system startup.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+More information about Special Groups auditing can be found here:
+
+
+
+## Security Monitoring Recommendations
+
+For 4908(S): Special Groups Logon table modified.
+
+- If you use the Special Groups feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
+
+- If you don’t use the Special Groups feature, then this event should be always monitored because it indicates use of the Special Groups feature outside of your standard procedures.
+
diff --git a/windows/keep-secure/event-4909.md b/windows/keep-secure/event-4909.md
new file mode 100644
index 0000000000..f3f6b7d90e
--- /dev/null
+++ b/windows/keep-secure/event-4909.md
@@ -0,0 +1,21 @@
+---
+title: 4909(-) The local policy settings for the TBS were changed. (Windows 10)
+description: Describes security event 4909(-) The local policy settings for the TBS were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4909(-): The local policy settings for the TBS were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
diff --git a/windows/keep-secure/event-4910.md b/windows/keep-secure/event-4910.md
new file mode 100644
index 0000000000..bf7110033f
--- /dev/null
+++ b/windows/keep-secure/event-4910.md
@@ -0,0 +1,21 @@
+---
+title: 4910(-) The group policy settings for the TBS were changed. (Windows 10)
+description: Describes security event 4910(-) The group policy settings for the TBS were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4910(-): The group policy settings for the TBS were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
diff --git a/windows/keep-secure/event-4911.md b/windows/keep-secure/event-4911.md
new file mode 100644
index 0000000000..20a174c857
--- /dev/null
+++ b/windows/keep-secure/event-4911.md
@@ -0,0 +1,282 @@
+---
+title: 4911(S) Resource attributes of the object were changed. (Windows 10)
+description: Describes security event 4911(S) Resource attributes of the object were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4911(S): Resource attributes of the object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when [resource attributes](http://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed.
+
+Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time [Per User Audit Policy](http://windowsitpro.com/systems-management/user-auditing-28-jun-2005) was changed.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when a [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on a file system object is changed.
+
+This event always generates, regardless of the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example “**S:AI**”.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time a new Active Directory replica source naming context is established.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: 
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica source naming context was removed.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica source naming context was modified.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+It is not possible to understand what exactly was modified from this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica destination naming context was modified.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+It is not possible to understand what exactly was modified from this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time synchronization of a replica of an Active Directory naming context has begun.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time synchronization of a replica of an Active Directory naming context has ended.
+
+Failure event occurs when synchronization of a replica of an Active Directory naming context failed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates when Active Directory replication failure begins.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall service starts.
+
+This event shows Windows Firewall settings that were in effect when the Windows Firewall service started.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy.
+
+**Allow Unicast Responses to Multicast/Broadcast Traffic** \[Type = UnicodeString\]:
+
+- **Enabled** - if “**Allow unicast response:**” Settings configuration was set to “Yes” for “Public” profile.
+
+- **Disabled** - if “**Allow unicast response:**” Settings configuration was set to “No” for “Public” profile.
+
+
+
+**Security Logging:**
+
+- **Log Dropped Packets** \[Type = UnicodeString\]:
+
+ - **Enabled** – if “**Log dropped packets:**” Logging configuration was set to “Yes” for “Public” profile.
+
+ - **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
+
+- **Log Successful Connections** \[Type = UnicodeString\]:
+
+ - **Enabled** - if “**Log successful connections:**” Logging configuration was set to “Yes” for “Public” profile.
+
+ - **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
+
+
+
+## Security Monitoring Recommendations
+
+For 4944(S): The following policy was active when the Windows Firewall started.
+
+- If you have a standard or baseline for Windows Firewall settings defined for **Public** profile (which can be the same as for Domain, for example), monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
+- Unfortunately this event shows configuration only for **Public** profile, but you can still compare all the settings with your organization's Windows Firewall baseline for Public profile on different computers and trigger an alert if the configuration is not the same.
+
diff --git a/windows/keep-secure/event-4945.md b/windows/keep-secure/event-4945.md
new file mode 100644
index 0000000000..fb0731ead7
--- /dev/null
+++ b/windows/keep-secure/event-4945.md
@@ -0,0 +1,91 @@
+---
+title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10)
+description: Describes security event 4945(S) A rule was listed when the Windows Firewall started.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4945(S): A rule was listed when the Windows Firewall started.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall service starts.
+
+This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for “Public” profile.
+
+This event generates per rule.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4945(S): A rule was listed when the Windows Firewall started.
+
+- Typically this event has an informational purpose.
+
+- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration is not the same.
+
diff --git a/windows/keep-secure/event-4946.md b/windows/keep-secure/event-4946.md
new file mode 100644
index 0000000000..0fea17268d
--- /dev/null
+++ b/windows/keep-secure/event-4946.md
@@ -0,0 +1,101 @@
+---
+title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10)
+description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when new rule was locally added to Windows Firewall.
+
+This event doesn't generate when new rule was added via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall rule was modified.
+
+This event doesn't generate when Firewall rule was modified via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall rule was deleted.
+
+This event doesn't generate when the rule was deleted via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall settings were locally restored to the default configuration.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall local setting was changed.
+
+This event doesn't generate when Windows Firewall setting was changed via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Value** \[Type = UnicodeString\]: new value of modified setting.
+
+## Security Monitoring Recommendations
+
+For 4950(S): A Windows Firewall setting has changed.
+
+- If you have a standard or baseline for Windows Firewall settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
+- This event can be helpful in case you want to monitor all changes in Windows Firewall settings which were done locally.
+
diff --git a/windows/keep-secure/event-4951.md b/windows/keep-secure/event-4951.md
new file mode 100644
index 0000000000..82cf1bbeb8
--- /dev/null
+++ b/windows/keep-secure/event-4951.md
@@ -0,0 +1,103 @@
+---
+title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10)
+description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
+
+If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.
+
+The only solution is to remove the incompatible rule, and then deploy a compatible rule.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason.
+
+It can happen if Windows Firewall rule registry entry was corrupted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall group policy is changed, locally or from Active Directory Group Policy.
+
+This event generates every time local Group Policy is refreshed, even if no Windows Firewall settings were modified or presented.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall has changed the active profile.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+
+***Event Description:***
+
+This event occurs when an account that is a member of any defined [Special Group](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md), [Audit Other Privilege Use Events](audit-other-privilege-use-events.md), and [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This is an informational event from file system [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall (MpsSvc) service has started successfully.
+
+This event is typically logged during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall (MpsSvc) service has been stopped.
+
+This event is typically logged during operating system shutdown process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
+
+Typically if this event occurs it indicates that Windows Firewall service was not able to start.
+
+It typically occurs with “[5028](event-5028.md)(S): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
+
+Typically if this event occurs it indicates that Windows Firewall service was not able to start.
+
+It typically occurs with “[5027](event-5027.md)(S): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
+
+If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) layer, because by default this layer is denying any incoming connections.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) has started successfully.
+
+This event is typically logged during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) was stopped.
+
+This event is NOT logged during the operating system shutdown process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+You can see these events, for example, during certificate renewal or export operations using KSP.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Key File Operation Information:**
+
+- **File Path** \[Type = UnicodeString\]: full path and filename of the key file on which the operation was performed.
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Examples:
+
+ - Write persisted key to file.
+
+ - Read persisted key from file.
+
+ - Delete key file.
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5058(S, F): Key file operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”**) or a specific **“Operation”**, such as **“Delete key file”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-5059.md b/windows/keep-secure/event-5059.md
new file mode 100644
index 0000000000..3a1b397f62
--- /dev/null
+++ b/windows/keep-secure/event-5059.md
@@ -0,0 +1,156 @@
+---
+title: 5059(S, F) Key migration operation. (Windows 10)
+description: Describes security event 5059(S, F) Key migration operation.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5059(S, F): Key migration operation.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Description:***
+
+This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is modified.
+
+To generate this event, the modified object must have an appropriate entry in [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Write”** action auditing for specific attributes.
+
+For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is created.
+
+This event only generates if the parent object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx).
+
+This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is moved.
+
+This event only generates if the destination object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was accessed.
+
+This event generates once per session, when first access attempt was made.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is deleted.
+
+This event only generates if the deleted object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Delete”** action, auditing for specific objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
+
+## Security Monitoring Recommendations
+
+For 5141(S): A directory service object was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class.
+
+- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion.
+
diff --git a/windows/keep-secure/event-5142.md b/windows/keep-secure/event-5142.md
new file mode 100644
index 0000000000..418a6387f7
--- /dev/null
+++ b/windows/keep-secure/event-5142.md
@@ -0,0 +1,106 @@
+---
+title: 5142(S) A network share object was added. (Windows 10)
+description: Describes security event 5142(S) A network share object was added.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5142(S): A network share object was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was added.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was modified.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+
+- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+
+- **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
+
+- **New Maxusers** \[Type = HexInt32\]**:** new hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
+
+- **Old ShareFlags** \[Type = HexInt32\]: old hexadecimal value of “**Offline Settings**” caching settings window flags.
+
+
+
+- **New ShareFlags** \[Type = HexInt32\]: new hexadecimal value of “**Offline Settings**” caching settings window flags.
+
+- **Old SD** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for network share security descriptor.
+
+- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time a network share object is deleted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Detailed File Share](audit-detailed-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object (file or folder) was accessed.
+
+*Important*: Failure events are generated only when access is denied at the file share level. No events are generated if access was denied on the file system (NTFS) level.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a network packet.
+
+This event is generated for every received network packet.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of blocked connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the packet.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the packet.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which packet was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to send the packet.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the packet.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+ 
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5152(F): The Windows Filtering Platform blocked a packet.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that **Source Address** is one of the addresses assigned to the computer.
+
+- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5153.md b/windows/keep-secure/event-5153.md
new file mode 100644
index 0000000000..e02ea78a1e
--- /dev/null
+++ b/windows/keep-secure/event-5153.md
@@ -0,0 +1,59 @@
+---
+title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
+description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+***Event Schema:***
+
+*A more restrictive Windows Filtering Platform filter has blocked a packet.*
+
+*Application Information:*
+
+> *Process ID:%1*
+>
+> *Application Name:%2*
+
+*Network Information:*
+
+> *Source Address:%3*
+>
+> *Source Port:%4*
+>
+> *Protocol:%5*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%6*
+>
+> *Layer Name:%7*
+>
+> *Layer Run-Time ID:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5154.md b/windows/keep-secure/event-5154.md
new file mode 100644
index 0000000000..12255300cf
--- /dev/null
+++ b/windows/keep-secure/event-5154.md
@@ -0,0 +1,144 @@
+---
+title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10)
+description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to listen on a port.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has allowed a connection.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a connection.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to bind to a local port.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates when SMB SPN check fails.
+
+It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](https://technet.microsoft.com/en-us/library/jj852272.aspx)” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time the user (**Subject**) successfully backs up the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+
+Typically this can be done by clicking “Back up Credentials” in Credential Manager in the Control Panel.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time the user (**Subject**) successfully restores the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+
+Typically this can be done by clicking “Restore Credentials” in Credential Manager in the Control Panel.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates requested [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) credentials delegation was disallowed by [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation policy.
+
+It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation for [WinRM](https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx) [double-hop](https://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx) session was not set properly.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time a [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) filter has been changed.
+
+It typically generates during Group Policy update procedures.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wireless network.
+
+It typically generates when network adapter connects to new wireless network.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+- **Local MAC Address** \[Type = UnicodeString\]**:** local interface’s MAC-address.
+
+- **Peer MAC Address** \[Type = UnicodeString\]**:** peer’s (typically – access point) MAC-address.
+
+**Additional Information:**
+
+- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: 
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wired network.
+
+It typically generates when network adapter connects to new wired network.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+**Additional Information:**
+
+- **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: 
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when the object in [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was modified.
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when the object in the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was deleted.
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when new object was added to the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx).
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. This event generates on the target computer itself.
+
+It is a routine event which shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
+
+This event generates every time Group Policy is applied to the computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 6144(S): Security policy in the group policy objects has been applied successfully.
+
+- If you have a pre-defined list of Group Policy Objects which contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and in case of any difference trigger an alert.
+
+- This event is mostly an informational event.
+
diff --git a/windows/keep-secure/event-6145.md b/windows/keep-secure/event-6145.md
new file mode 100644
index 0000000000..5566da1217
--- /dev/null
+++ b/windows/keep-secure/event-6145.md
@@ -0,0 +1,88 @@
+---
+title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10)
+description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself.
+
+This event generates, for example, if the [SID](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time a new external device is recognized by a system.
+
+This event generates, for example, when a new external device is connected or enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+**Device Name** \[Type = UnicodeString\] \[Version 1\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\] \[Version 1\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Vendor IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6416(S): A new external device was recognized by the System.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|-----------------------------------------------------|----------------------------|
+| Device recognition events, **Device Instance Path** | “**Device ID**” |
+| Device recognition events, **Device Description** | “**Device Name**” |
+| Device recognition events, **Class GUID** | “**Class ID**” |
+| Device recognition events, **Hardware IDs** | “**Vendor IDs**” |
+| Device recognition events, **Compatible IDs** | “**Compatible IDs**” |
+| Device recognition events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6419.md b/windows/keep-secure/event-6419.md
new file mode 100644
index 0000000000..b874b2ea54
--- /dev/null
+++ b/windows/keep-secure/event-6419.md
@@ -0,0 +1,142 @@
+---
+title: 6419(S) A request was made to disable a device. (Windows 10)
+description: Describes security event 6419(S) A request was made to disable a device.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6419(S): A request was made to disable a device.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time when someone made a request to disable a device.
+
+This event doesn’t mean that device was disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time specific device was disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time when someone made a request to enable a device.
+
+This event doesn’t mean that device was enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time specific device was enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time installation of this device is forbidden by system policy.
+
+Device installation restriction group policies are located here: **\\Computer Configuration\\Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. If one of the policies restricts installation of a specific device, this event will be generated.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+