deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into metaclient8

Browse Source
This commit is contained in:
Angela Fleischmann 2022-10-25 16:29:34 -06:00 committed by GitHub
commit 0fe90bc7f6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
599 changed files with 1260 additions and 1260 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
View File

@ -1,7 +1,7 @@
---
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: m365-security
ms.prod: windows-client
ms.localizationpriority: high
author: paolomatarazzo
ms.author: paoloma

4
windows/security/threat-protection/auditing/event-4671.md
View File

@ -2,7 +2,7 @@
title: 4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10)
description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4671(-): An application attempted to access a blocked ordinal through the TBS.

4
windows/security/threat-protection/auditing/event-4672.md
View File

@ -2,7 +2,7 @@
title: 4672(S) Special privileges assigned to new logon. (Windows 10)
description: Describes security event 4672(S) Special privileges assigned to new logon.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4672(S): Special privileges assigned to new logon.

4
windows/security/threat-protection/auditing/event-4673.md
View File

@ -2,7 +2,7 @@
title: 4673(S, F) A privileged service was called. (Windows 10)
description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4673(S, F): A privileged service was called.

4
windows/security/threat-protection/auditing/event-4674.md
View File

@ -2,7 +2,7 @@
title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10)
description: Describes security event 4674(S, F) An operation was attempted on a privileged object.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4674(S, F): An operation was attempted on a privileged object.

4
windows/security/threat-protection/auditing/event-4675.md
View File

@ -2,7 +2,7 @@
title: 4675(S) SIDs were filtered. (Windows 10)
description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4675(S): SIDs were filtered.

4
windows/security/threat-protection/auditing/event-4688.md
View File

@ -2,7 +2,7 @@
title: 4688(S) A new process has been created. (Windows 10)
description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 01/24/2022
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4688(S): A new process has been created.

4
windows/security/threat-protection/auditing/event-4689.md
View File

@ -2,7 +2,7 @@
title: 4689(S) A process has exited. (Windows 10)
description: Describes security event 4689(S) A process has exited. This event is generates when a process exits.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4689(S): A process has exited.

4
windows/security/threat-protection/auditing/event-4690.md
View File

@ -2,7 +2,7 @@
title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10)
description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4690(S): An attempt was made to duplicate a handle to an object.

4
windows/security/threat-protection/auditing/event-4691.md
View File

@ -2,7 +2,7 @@
title: 4691(S) Indirect access to an object was requested. (Windows 10)
description: Describes security event 4691(S) Indirect access to an object was requested.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4691(S): Indirect access to an object was requested.

4
windows/security/threat-protection/auditing/event-4692.md
View File

@ -2,7 +2,7 @@
title: 4692(S, F) Backup of data protection master key was attempted. (Windows 10)
description: Describes security event 4692(S, F) Backup of data protection master key was attempted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4692(S, F): Backup of data protection master key was attempted.

16
windows/security/threat-protection/auditing/event-4693.md
View File

@ -2,7 +2,7 @@
title: 4693(S, F) Recovery of data protection master key was attempted. (Windows 10)
description: Describes security event 4693(S, F) Recovery of data protection master key was attempted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4693(S, F): Recovery of data protection master key was attempted.
@ -25,7 +25,7 @@ ms.technology: windows-sec
This event generates every time that recovery is attempted for a [DPAPI](/previous-versions/ms995355(v=msdn.10)) Master Key.
While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
While unprotecting data, if DPAPI can't use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
This event generates on domain controllers, member servers, and workstations.
@ -79,9 +79,9 @@ Failure event generates when a Master Key restore operation fails for some reaso
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “recover” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “recover” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “recover” operation.
@ -101,13 +101,13 @@ Failure event generates when a Master Key restore operation fails for some reaso
**Key Information:**
- **Key Identifier** \[Type = UnicodeString\]**:** unique identifier of a master key which was recovered. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
- **Key Identifier** \[Type = UnicodeString\]**:** unique identifier of a master key which was recovered. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
- **Recovery Server** \[Type = UnicodeString\]: the name (typically DNS name) of the computer that you contacted to recover your Master Key. For domain joined machines, its typically a name of a domain controller.
> **Note**  In this event Recovery Server field contains information from Recovery Reason field.
- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In this field you will see unique Recovery key ID which was used for Master key recovery operation. This parameter might not be captured in the event, and in that case will be empty.
- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field you'll see unique Recovery key ID which was used for Master key recovery operation. This parameter might not be captured in the event, and in that case will be empty.
- **Recovery Reason** \[Type = HexInt32\]: hexadecimal code of recovery reason.
@ -121,7 +121,7 @@ Failure event generates when a Master Key restore operation fails for some reaso
For 4693(S, F): Recovery of data protection master key was attempted.
- This event is typically an informational event and it is difficult to detect any malicious activity using this event. Its mainly used for DPAPI troubleshooting.
- This event is typically an informational event and it's difficult to detect any malicious activity using this event. Its mainly used for DPAPI troubleshooting.
- For domain joined computers, **Recovery Reason** should typically be a domain controller DNS name.

4
windows/security/threat-protection/auditing/event-4694.md
View File

@ -2,7 +2,7 @@
title: 4694(S, F) Protection of auditable protected data was attempted. (Windows 10)
description: Describes security event 4694(S, F) Protection of auditable protected data was attempted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4694(S, F): Protection of auditable protected data was attempted.

4
windows/security/threat-protection/auditing/event-4695.md
View File

@ -2,7 +2,7 @@
title: 4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10)
description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4695(S, F): Unprotection of auditable protected data was attempted.

4
windows/security/threat-protection/auditing/event-4696.md
View File

@ -2,7 +2,7 @@
title: 4696(S) A primary token was assigned to process. (Windows 10)
description: Describes security event 4696(S) A primary token was assigned to process.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4696(S): A primary token was assigned to process.

4
windows/security/threat-protection/auditing/event-4697.md
View File

@ -2,7 +2,7 @@
title: 4697(S) A service was installed in the system. (Windows 10)
description: Describes security event 4697(S) A service was installed in the system.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4697(S): A service was installed in the system.

4
windows/security/threat-protection/auditing/event-4698.md
View File

@ -2,7 +2,7 @@
title: 4698(S) A scheduled task was created. (Windows 10)
description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4698(S): A scheduled task was created.

4
windows/security/threat-protection/auditing/event-4699.md
View File

@ -2,7 +2,7 @@
title: 4699(S) A scheduled task was deleted. (Windows 10)
description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4699(S): A scheduled task was deleted.

4
windows/security/threat-protection/auditing/event-4700.md
View File

@ -2,7 +2,7 @@
title: 4700(S) A scheduled task was enabled. (Windows 10)
description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4700(S): A scheduled task was enabled.

4
windows/security/threat-protection/auditing/event-4701.md
View File

@ -2,7 +2,7 @@
title: 4701(S) A scheduled task was disabled. (Windows 10)
description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4701(S): A scheduled task was disabled.

4
windows/security/threat-protection/auditing/event-4702.md
View File

@ -2,7 +2,7 @@
title: 4702(S) A scheduled task was updated. (Windows 10)
description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4702(S): A scheduled task was updated.

4
windows/security/threat-protection/auditing/event-4703.md
View File

@ -2,7 +2,7 @@
title: 4703(S) A user right was adjusted. (Windows 10)
description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4703(S): A user right was adjusted.

4
windows/security/threat-protection/auditing/event-4704.md
View File

@ -2,7 +2,7 @@
title: 4704(S) A user right was assigned. (Windows 10)
description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4704(S): A user right was assigned.

4
windows/security/threat-protection/auditing/event-4705.md
View File

@ -2,7 +2,7 @@
title: 4705(S) A user right was removed. (Windows 10)
description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4705(S): A user right was removed.

4
windows/security/threat-protection/auditing/event-4706.md
View File

@ -2,7 +2,7 @@
title: 4706(S) A new trust was created to a domain. (Windows 10)
description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4706(S): A new trust was created to a domain.

4
windows/security/threat-protection/auditing/event-4707.md
View File

@ -2,7 +2,7 @@
title: 4707(S) A trust to a domain was removed. (Windows 10)
description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4707(S): A trust to a domain was removed.

4
windows/security/threat-protection/auditing/event-4713.md
View File

@ -2,7 +2,7 @@
title: 4713(S) Kerberos policy was changed. (Windows 10)
description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4713(S): Kerberos policy was changed.

4
windows/security/threat-protection/auditing/event-4714.md
View File

@ -2,7 +2,7 @@
title: 4714(S) Encrypted data recovery policy was changed. (Windows 10)
description: Describes security event 4714(S) Encrypted data recovery policy was changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4714(S): Encrypted data recovery policy was changed.

4
windows/security/threat-protection/auditing/event-4715.md
View File

@ -2,7 +2,7 @@
title: 4715(S) The audit policy (SACL) on an object was changed. (Windows 10)
description: Describes security event 4715(S) The audit policy (SACL) on an object was changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4715(S): The audit policy (SACL) on an object was changed.

4
windows/security/threat-protection/auditing/event-4716.md
View File

@ -2,7 +2,7 @@
title: 4716(S) Trusted domain information was modified. (Windows 10)
description: Describes security event 4716(S) Trusted domain information was modified.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4716(S): Trusted domain information was modified.

4
windows/security/threat-protection/auditing/event-4717.md
View File

@ -2,7 +2,7 @@
title: 4717(S) System security access was granted to an account. (Windows 10)
description: Describes security event 4717(S) System security access was granted to an account.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4717(S): System security access was granted to an account.

4
windows/security/threat-protection/auditing/event-4718.md
View File

@ -2,7 +2,7 @@
title: 4718(S) System security access was removed from an account. (Windows 10)
description: Describes security event 4718(S) System security access was removed from an account.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4718(S): System security access was removed from an account.

4
windows/security/threat-protection/auditing/event-4719.md
View File

@ -2,7 +2,7 @@
title: 4719(S) System audit policy was changed. (Windows 10)
description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4719(S): System audit policy was changed.

4
windows/security/threat-protection/auditing/event-4720.md
View File

@ -2,7 +2,7 @@
title: 4720(S) A user account was created. (Windows 10)
description: Describes security event 4720(S) A user account was created. This event is generated a user object is created.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4720(S): A user account was created.

4
windows/security/threat-protection/auditing/event-4722.md
View File

@ -2,7 +2,7 @@
title: 4722(S) A user account was enabled. (Windows 10)
description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4722(S): A user account was enabled.

4
windows/security/threat-protection/auditing/event-4723.md
View File

@ -2,7 +2,7 @@
title: 4723(S, F) An attempt was made to change an account's password. (Windows 10)
description: Describes security event 4723(S, F) An attempt was made to change an account's password.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4723(S, F): An attempt was made to change an account's password.

4
windows/security/threat-protection/auditing/event-4724.md
View File

@ -2,7 +2,7 @@
title: 4724(S, F) An attempt was made to reset an account's password. (Windows 10)
description: Describes security event 4724(S, F) An attempt was made to reset an account's password.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4724(S, F): An attempt was made to reset an account's password.

4
windows/security/threat-protection/auditing/event-4725.md
View File

@ -2,7 +2,7 @@
title: 4725(S) A user account was disabled. (Windows 10)
description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4725(S): A user account was disabled.

4
windows/security/threat-protection/auditing/event-4726.md
View File

@ -2,7 +2,7 @@
title: 4726(S) A user account was deleted. (Windows 10)
description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4726(S): A user account was deleted.

4
windows/security/threat-protection/auditing/event-4731.md
View File

@ -2,7 +2,7 @@
title: 4731(S) A security-enabled local group was created. (Windows 10)
description: Describes security event 4731(S) A security-enabled local group was created.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4731(S): A security-enabled local group was created.

4
windows/security/threat-protection/auditing/event-4732.md
View File

@ -2,7 +2,7 @@
title: 4732(S) A member was added to a security-enabled local group. (Windows 10)
description: Describes security event 4732(S) A member was added to a security-enabled local group.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4732(S): A member was added to a security-enabled local group.

4
windows/security/threat-protection/auditing/event-4733.md
View File

@ -2,7 +2,7 @@
title: 4733(S) A member was removed from a security-enabled local group. (Windows 10)
description: Describes security event 4733(S) A member was removed from a security-enabled local group.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4733(S): A member was removed from a security-enabled local group.

4
windows/security/threat-protection/auditing/event-4734.md
View File

@ -2,7 +2,7 @@
title: 4734(S) A security-enabled local group was deleted. (Windows 10)
description: Describes security event 4734(S) A security-enabled local group was deleted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4734(S): A security-enabled local group was deleted.

4
windows/security/threat-protection/auditing/event-4735.md
View File

@ -2,7 +2,7 @@
title: 4735(S) A security-enabled local group was changed. (Windows 10)
description: Describes security event 4735(S) A security-enabled local group was changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4735(S): A security-enabled local group was changed.

4
windows/security/threat-protection/auditing/event-4738.md
View File

@ -2,7 +2,7 @@
title: 4738(S) A user account was changed. (Windows 10)
description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4738(S): A user account was changed.

4
windows/security/threat-protection/auditing/event-4739.md
View File

@ -2,7 +2,7 @@
title: 4739(S) Domain Policy was changed. (Windows 10)
description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4739(S): Domain Policy was changed.

4
windows/security/threat-protection/auditing/event-4740.md
View File

@ -2,7 +2,7 @@
title: 4740(S) A user account was locked out. (Windows 10)
description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4740(S): A user account was locked out.

4
windows/security/threat-protection/auditing/event-4741.md
View File

@ -2,7 +2,7 @@
title: 4741(S) A computer account was created. (Windows 10)
description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4741(S): A computer account was created.

4
windows/security/threat-protection/auditing/event-4742.md
View File

@ -2,7 +2,7 @@
title: 4742(S) A computer account was changed. (Windows 10)
description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4742(S): A computer account was changed.

4
windows/security/threat-protection/auditing/event-4743.md
View File

@ -2,7 +2,7 @@
title: 4743(S) A computer account was deleted. (Windows 10)
description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4743(S): A computer account was deleted.

4
windows/security/threat-protection/auditing/event-4749.md
View File

@ -2,7 +2,7 @@
title: 4749(S) A security-disabled global group was created. (Windows 10)
description: Describes security event 4749(S) A security-disabled global group was created.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4749(S): A security-disabled global group was created.

4
windows/security/threat-protection/auditing/event-4750.md
View File

@ -2,7 +2,7 @@
title: 4750(S) A security-disabled global group was changed. (Windows 10)
description: Describes security event 4750(S) A security-disabled global group was changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4750(S): A security-disabled global group was changed.

4
windows/security/threat-protection/auditing/event-4751.md
View File

@ -2,7 +2,7 @@
title: 4751(S) A member was added to a security-disabled global group. (Windows 10)
description: Describes security event 4751(S) A member was added to a security-disabled global group.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4751(S): A member was added to a security-disabled global group.

4
windows/security/threat-protection/auditing/event-4752.md
View File

@ -2,7 +2,7 @@
title: 4752(S) A member was removed from a security-disabled global group. (Windows 10)
description: Describes security event 4752(S) A member was removed from a security-disabled global group.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4752(S): A member was removed from a security-disabled global group.

4
windows/security/threat-protection/auditing/event-4753.md
View File

@ -2,7 +2,7 @@
title: 4753(S) A security-disabled global group was deleted. (Windows 10)
description: Describes security event 4753(S) A security-disabled global group was deleted.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4753(S): A security-disabled global group was deleted.

4
windows/security/threat-protection/auditing/event-4764.md
View File

@ -2,7 +2,7 @@
title: 4764(S) A group's type was changed. (Windows 10)
description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4764(S): A groups type was changed.

4
windows/security/threat-protection/auditing/event-4765.md
View File

@ -2,7 +2,7 @@
title: 4765(S) SID History was added to an account. (Windows 10)
description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4765(S): SID History was added to an account.

4
windows/security/threat-protection/auditing/event-4766.md
View File

@ -2,7 +2,7 @@
title: 4766(F) An attempt to add SID History to an account failed. (Windows 10)
description: Describes security event 4766(F) An attempt to add SID History to an account failed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4766(F): An attempt to add SID History to an account failed.

4
windows/security/threat-protection/auditing/event-4767.md
View File

@ -2,7 +2,7 @@
title: 4767(S) A user account was unlocked. (Windows 10)
description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4767(S): A user account was unlocked.

26
windows/security/threat-protection/auditing/event-4768.md
View File

@ -2,7 +2,7 @@
title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10)
description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 10/20/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
@ -180,11 +180,11 @@ The most common values:
| 14 | Request-anonymous | KILE not use this flag. |
| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | - |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag isn't supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
| 28 | Enc-tkt-in-skey | No information. |
| 29 | Unused | - |
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. |
## Table 2. Kerberos ticket flags
@ -209,7 +209,7 @@ The most common values:
| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a tickets start time be set into the future.<br>It also can occur if there is a time difference between the client and the KDC. |
| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. |
| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a users account. For example workstation restriction, smart card authentication requirement or logon time restriction. |
| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list |
| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials isn't in its Allowed-to-delegate-to list |
| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. |
| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. |
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
@ -226,7 +226,7 @@ The most common values:
| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server isn't yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. |
| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. |
| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There is an account mismatch during protocol transition. |
@ -236,18 +236,18 @@ The most common values:
| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. <br>This error also generated if use of UDP protocol is being attempted with User-to-User authentication. |
| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.<br>The authentication data was modified in transit by a hardware or software error, or by an attacker.<br>The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.<br>The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. |
| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. |
| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key isn't available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ isn't one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. |
| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. |
| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. |
| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. |
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. |
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According to [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. |
| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. |
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes have not propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. |
| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when users smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. |
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or isn't implemented | This typically happens when users smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. |
| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. |
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. |
@ -317,11 +317,11 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that dont comply with naming conventions. |
- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP address range or not from private IP address ranges.
- You can track all [4768](event-4768.md) events where the **Client Address** isn't from your internal IP address range or not from private IP address ranges.
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the allowlist, generate the alert.
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** isn't from the allowlist, generate the alert.
- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
- All **Client Address** = `::1` means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = `::1` and **Account Name** isn't allowed to log on to any domain controller.
- All [4768](event-4768.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection.

72
windows/security/threat-protection/auditing/event-4769.md
View File

@ -2,7 +2,7 @@
title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10)
description: Describes security event 4769(S, F) A Kerberos service ticket was requested.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4769(S, F): A Kerberos service ticket was requested.
@ -27,9 +27,9 @@ This event generates every time Key Distribution Center gets a Kerberos Ticket G
This event generates only on domain controllers.
If TGS issue fails then you will see Failure event with **Failure Code** field not equal to “**0x0**”.
If TGS issue fails then you'll see Failure event with **Failure Code** field not equal to “**0x0**”.
You will typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
You'll typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -86,7 +86,7 @@ You will typically see many Failure events with **Failure Code** “**0x20**”,
- Computer account example: WIN81$@CONTOSO.LOCAL
> **Note** Although this field is in the UPN format, this is not the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name.
> **Note** Although this field is in the UPN format, this isn't the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name.
This parameter in this event is optional and can be empty in some cases.
@ -112,11 +112,11 @@ You will typically see many Failure events with **Failure Code** “**0x20**”,
- This parameter in this event is optional and can be empty in some cases.
- **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
- **NULL SID** this value shows in Failure events.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
**Network Information:**
@ -173,12 +173,12 @@ The most common values:
| 14 | Request-anonymous | KILE not use this flag. |
| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | - |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag isn't supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life can't otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
| 28 | Enc-tkt-in-skey | No information. |
| 29 | Unused | - |
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. <span id="kerberos-encryption-types" /> |
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. <span id="kerberos-encryption-types" /> |
| ## Table 4. Kerberos encryption types | | |
- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS.
@ -204,56 +204,56 @@ The most common values:
| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. |
| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. |
| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesnt exist. |
| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller cannot find the servers name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found. |
| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller can't find the servers name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name can't be found. |
| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. |
| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. |
| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a tickets start time be set into the future.<br>It also can occur if there is a time difference between the client and the KDC. |
| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. |
| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There's a time difference between the KDC and the client. |
| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a users account. For example workstation restriction, smart card authentication requirement or logon time restriction. |
| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list |
| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. |
| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. |
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials isn't in its Allowed-to-delegate-to list |
| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it can't decrypt. |
| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it doesn't have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. |
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate can't be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA can't be contacted.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. |
| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. |
| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. |
| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. |
| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. |
| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The users password has expired.<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The users password has expired.<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients don't request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. |
| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | This error occurs because the service is missing an SPN. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client can't decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server isn't yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client aren't synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. |
| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. |
| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There is an account mismatch during protocol transition. |
| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There's an account mismatch during protocol transition. |
| 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the servers timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. |
| 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. |
| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.<br>The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.<br>See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. <br>This error also generated if use of UDP protocol is being attempted with User-to-User authentication. |
| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.<br>The authentication data was modified in transit by a hardware or software error, or by an attacker.<br>The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.<br>The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. |
| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. |
| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ isn't one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. |
| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. |
| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. |
| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. |
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. |
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According to [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. |
| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. |
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes have not propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. |
| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when users smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. |
| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes hanven't propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. |
| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when users smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. |
| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. |
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. |
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they don't (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. |
| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. |
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. |
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service doesn't possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. |
| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. |
- **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if Kerberos delegation was used.
@ -269,17 +269,17 @@ For 4769(S, F): A Kerberos service ticket was requested.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Account Information\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the accounts that should never be used. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Account Information\\Account Domain”** corresponding to another domain or “external” location. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that aren't allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Account Information\\Account Domain”** corresponding to another domain or “external” location. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Account Information\\Account Name”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that dont comply with naming conventions. |
- If you know that **Account Name** should never request any tickets for (that is, never get access to) a particular computer account or service account, monitor for [4769](event-4769.md) events with the corresponding **Account Name** and **Service ID** fields.
- You can track all [4769](event-4769.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
- You can track all [4769](event-4769.md) events where the **Client Address** isn't from your internal IP range or not from private IP ranges.
- If you know that **Account Name** should be able to request tickets (should be used) only from a known allow list of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** is not from your allow list of IP addresses, generate the alert.
- If you know that **Account Name** should be able to request tickets (should be used) only from a known allow list of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** isn't from your allow list of IP addresses, generate the alert.
- All **Client Address** = ::1 means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have an allow list of accounts allowed to log on to domain controllers, monitor events with **Client Address** = ::1 and any **Account Name** outside the allow list.
- All **Client Address** = `::1` means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have an allow list of accounts allowed to log on to domain controllers, monitor events with **Client Address** = `::1` and any **Account Name** outside the allow list.
- All [4769](event-4769.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection.

4
windows/security/threat-protection/auditing/event-4770.md
View File

@ -2,7 +2,7 @@
title: 4770(S) A Kerberos service ticket was renewed. (Windows 10)
description: Describes security event 4770(S) A Kerberos service ticket was renewed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4770(S): A Kerberos service ticket was renewed.

4
windows/security/threat-protection/auditing/event-4771.md
View File

@ -2,7 +2,7 @@
title: 4771(F) Kerberos pre-authentication failed. (Windows 10)
description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4771(F): Kerberos pre-authentication failed.

4
windows/security/threat-protection/auditing/event-4772.md
View File

@ -2,7 +2,7 @@
title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10)
description: Describes security event 4772(F) A Kerberos authentication ticket request failed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4772(F): A Kerberos authentication ticket request failed.

4
windows/security/threat-protection/auditing/event-4773.md
View File

@ -2,7 +2,7 @@
title: 4773(F) A Kerberos service ticket request failed. (Windows 10)
description: Describes security event 4773(F) A Kerberos service ticket request failed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4773(F): A Kerberos service ticket request failed.

4
windows/security/threat-protection/auditing/event-4774.md
View File

@ -2,7 +2,7 @@
title: 4774(S, F) An account was mapped for logon. (Windows 10)
description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4774(S, F): An account was mapped for logon

4
windows/security/threat-protection/auditing/event-4775.md
View File

@ -2,7 +2,7 @@
title: 4775(F) An account could not be mapped for logon. (Windows 10)
description: Describes security event 4775(F) An account could not be mapped for logon.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4775(F): An account could not be mapped for logon.

18
windows/security/threat-protection/auditing/event-4776.md
View File

@ -2,7 +2,7 @@
title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10)
description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/13/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4776(S, F): The computer attempted to validate the credentials for an account.
@ -29,13 +29,13 @@ This event occurs only on the computer that is authoritative for the provided cr
It shows successful and unsuccessful credential validation attempts.
It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) is not presented in this event.
It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you'll see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) isn't presented in this event.
If a credential validation attempt fails, you will see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
For monitoring local account logon attempts, it's better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
This event also generates when a workstation unlock event occurs.
@ -82,7 +82,7 @@ This event does *not* generate when a domain account logs on locally to a domain
***Field Descriptions:***
- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) which was used for credential validation. It is always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event.
- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event.
> **Note**&nbsp;&nbsp;**Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
@ -127,14 +127,14 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. |
| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. |
| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you're concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that dont comply with naming conventions. |
- If NTLM authentication should not be used for a specific account, monitor for that account. Dont forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
- If NTLM authentication shouldn't be used for a specific account, monitor for that account. Dont forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Dont forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
- If a local account should be used only locally (for example, network logon or terminal services logon is not allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values.
- If a local account should be used only locally (for example, network logon or terminal services logon isn't allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values.
- Consider tracking the following errors for the reasons listed:

4
windows/security/threat-protection/auditing/event-4777.md
View File

@ -2,7 +2,7 @@
title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10)
description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4777(F): The domain controller failed to validate the credentials for an account.

4
windows/security/threat-protection/auditing/event-4778.md
View File

@ -2,7 +2,7 @@
title: 4778(S) A session was reconnected to a Window Station. (Windows 10)
description: Describes security event 4778(S) A session was reconnected to a Window Station.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4778(S): A session was reconnected to a Window Station.

4
windows/security/threat-protection/auditing/event-4779.md
View File

@ -2,7 +2,7 @@
title: 4779(S) A session was disconnected from a Window Station. (Windows 10)
description: Describes security event 4779(S) A session was disconnected from a Window Station.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4779(S): A session was disconnected from a Window Station.

4
windows/security/threat-protection/auditing/event-4780.md
View File

@ -2,7 +2,7 @@
title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10)
description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4780(S): The ACL was set on accounts which are members of administrators groups.

4
windows/security/threat-protection/auditing/event-4781.md
View File

@ -2,7 +2,7 @@
title: 4781(S) The name of an account was changed. (Windows 10)
description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4781(S): The name of an account was changed.

4
windows/security/threat-protection/auditing/event-4782.md
View File

@ -2,7 +2,7 @@
title: 4782(S) The password hash of an account was accessed. (Windows 10)
description: Describes security event 4782(S) The password hash of an account was accessed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4782(S): The password hash of an account was accessed.

4
windows/security/threat-protection/auditing/event-4793.md
View File

@ -2,7 +2,7 @@
title: 4793(S) The Password Policy Checking API was called. (Windows 10)
description: Describes security event 4793(S) The Password Policy Checking API was called.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4793(S): The Password Policy Checking API was called.

4
windows/security/threat-protection/auditing/event-4794.md
View File

@ -2,7 +2,7 @@
title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10)
description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.

4
windows/security/threat-protection/auditing/event-4798.md
View File

@ -2,7 +2,7 @@
title: 4798(S) A user's local group membership was enumerated. (Windows 10)
description: Describes security event 4798(S) A user's local group membership was enumerated.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4798(S): A user's local group membership was enumerated.

4
windows/security/threat-protection/auditing/event-4799.md
View File

@ -2,7 +2,7 @@
title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10)
description: Describes security event 4799(S) A security-enabled local group membership was enumerated.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4799(S): A security-enabled local group membership was enumerated.

4
windows/security/threat-protection/auditing/event-4800.md
View File

@ -2,7 +2,7 @@
title: 4800(S) The workstation was locked. (Windows 10)
description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4800(S): The workstation was locked.

4
windows/security/threat-protection/auditing/event-4801.md
View File

@ -2,7 +2,7 @@
title: 4801(S) The workstation was unlocked. (Windows 10)
description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4801(S): The workstation was unlocked.

4
windows/security/threat-protection/auditing/event-4802.md
View File

@ -2,7 +2,7 @@
title: 4802(S) The screen saver was invoked. (Windows 10)
description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4802(S): The screen saver was invoked.

4
windows/security/threat-protection/auditing/event-4803.md
View File

@ -2,7 +2,7 @@
title: 4803(S) The screen saver was dismissed. (Windows 10)
description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4803(S): The screen saver was dismissed.

4
windows/security/threat-protection/auditing/event-4816.md
View File

@ -2,7 +2,7 @@
title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10)
description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4816(S): RPC detected an integrity violation while decrypting an incoming message.

4
windows/security/threat-protection/auditing/event-4817.md
View File

@ -2,7 +2,7 @@
title: 4817(S) Auditing settings on object were changed. (Windows 10)
description: Describes security event 4817(S) Auditing settings on object were changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4817(S): Auditing settings on object were changed.

4
windows/security/threat-protection/auditing/event-4818.md
View File

@ -2,7 +2,7 @@
title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10)
description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.

4
windows/security/threat-protection/auditing/event-4819.md
View File

@ -2,7 +2,7 @@
title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10)
description: Describes security event 4819(S) Central Access Policies on the machine have been changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4819(S): Central Access Policies on the machine have been changed.

4
windows/security/threat-protection/auditing/event-4826.md
View File

@ -2,7 +2,7 @@
title: 4826(S) Boot Configuration Data loaded. (Windows 10)
description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4826(S): Boot Configuration Data loaded.

4
windows/security/threat-protection/auditing/event-4864.md
View File

@ -2,7 +2,7 @@
title: 4864(S) A namespace collision was detected. (Windows 10)
description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4864(S): A namespace collision was detected.

4
windows/security/threat-protection/auditing/event-4865.md
View File

@ -2,7 +2,7 @@
title: 4865(S) A trusted forest information entry was added. (Windows 10)
description: Describes security event 4865(S) A trusted forest information entry was added.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4865(S): A trusted forest information entry was added.

4
windows/security/threat-protection/auditing/event-4866.md
View File

@ -2,7 +2,7 @@
title: 4866(S) A trusted forest information entry was removed. (Windows 10)
description: Describes security event 4866(S) A trusted forest information entry was removed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4866(S): A trusted forest information entry was removed.

4
windows/security/threat-protection/auditing/event-4867.md
View File

@ -2,7 +2,7 @@
title: 4867(S) A trusted forest information entry was modified. (Windows 10)
description: Describes security event 4867(S) A trusted forest information entry was modified.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4867(S): A trusted forest information entry was modified.

4
windows/security/threat-protection/auditing/event-4902.md
View File

@ -2,7 +2,7 @@
title: 4902(S) The Per-user audit policy table was created. (Windows 10)
description: Describes security event 4902(S) The Per-user audit policy table was created.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4902(S): The Per-user audit policy table was created.

4
windows/security/threat-protection/auditing/event-4904.md
View File

@ -2,7 +2,7 @@
title: 4904(S) An attempt was made to register a security event source. (Windows 10)
description: Describes security event 4904(S) An attempt was made to register a security event source.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4904(S): An attempt was made to register a security event source.

4
windows/security/threat-protection/auditing/event-4905.md
View File

@ -2,7 +2,7 @@
title: 4905(S) An attempt was made to unregister a security event source. (Windows 10)
description: Describes security event 4905(S) An attempt was made to unregister a security event source.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4905(S): An attempt was made to unregister a security event source.

4
windows/security/threat-protection/auditing/event-4906.md
View File

@ -2,7 +2,7 @@
title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10)
description: Describes security event 4906(S) The CrashOnAuditFail value has changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4906(S): The CrashOnAuditFail value has changed.

4
windows/security/threat-protection/auditing/event-4907.md
View File

@ -2,7 +2,7 @@
title: 4907(S) Auditing settings on object were changed. (Windows 10)
description: Describes security event 4907(S) Auditing settings on object were changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4907(S): Auditing settings on object were changed.

8
windows/security/threat-protection/auditing/event-4908.md
View File

@ -2,7 +2,7 @@
title: 4908(S) Special Groups Logon table modified. (Windows 10)
description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4908(S): Special Groups Logon table modified.
@ -70,7 +70,7 @@ For more information about Special Groups auditing, see [4908(S): Special Groups
***Field Descriptions:***
**Special Groups** \[Type = UnicodeString\]**:** contains current list of SIDs (groups or accounts) which are members of Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**Special Groups** \[Type = UnicodeString\]**:** contains current list of SIDs (groups or accounts) which are members of Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
@ -83,7 +83,7 @@ For more information about Special Groups auditing, see [4908(S): Special Groups
For 4908(S): Special Groups Logon table modified.
- If you use the Special Groups feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
- If you use the Special Groups feature, then this event should be always monitored, especially on high value assets or computers. If this change wasn't planned, investigate the reason for the change.
- If you dont use the Special Groups feature, then this event should be always monitored because it indicates use of the Special Groups feature outside of your standard procedures.

4
windows/security/threat-protection/auditing/event-4909.md
View File

@ -2,7 +2,7 @@
title: 4909(-) The local policy settings for the TBS were changed. (Windows 10)
description: Describes security event 4909(-) The local policy settings for the TBS were changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4909(-): The local policy settings for the TBS were changed.

4
windows/security/threat-protection/auditing/event-4910.md
View File

@ -2,7 +2,7 @@
title: 4910(-) The group policy settings for the TBS were changed. (Windows 10)
description: Describes security event 4910(-) The group policy settings for the TBS were changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4910(-): The group policy settings for the TBS were changed.

4
windows/security/threat-protection/auditing/event-4911.md
View File

@ -2,7 +2,7 @@
title: 4911(S) Resource attributes of the object were changed. (Windows 10)
description: Describes security event 4911(S) Resource attributes of the object were changed.
ms.pagetype: security
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: windows-sec
ms.technology: itpro-security
---
# 4911(S): Resource attributes of the object were changed.

Some files were not shown because too many files have changed in this diff Show More