diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md
index 5f82176445..5b5faf0b14 100644
--- a/windows/keep-secure/advanced-security-audit-policy-settings.md
+++ b/windows/keep-secure/advanced-security-audit-policy-settings.md
@@ -2,52 +2,74 @@
title: Advanced security audit policy settings (Windows 10)
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
-ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Advanced security audit policy settings
+
**Applies to**
- Windows 10
+
This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
+
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
+
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
+
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
+
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
+
**Account Logon**
+
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
+
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
**Account Management**
+
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
+
- [Audit Application Group Management](audit-application-group-management.md)
- [Audit Computer Account Management](audit-computer-account-management.md)
- [Audit Distribution Group Management](audit-distribution-group-management.md)
- [Audit Other Account Management Events](audit-other-account-management-events.md)
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
+
**Detailed Tracking**
+
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
+
- [Audit DPAPI Activity](audit-dpapi-activity.md)
- [Audit PNP activity](audit-pnp-activity.md)
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
+
**DS Access**
+
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
+
- [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
- [Audit Directory Service Access](audit-directory-service-access.md)
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
+
**Logon/Logoff**
+
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
+
- [Audit Account Lockout](audit-account-lockout.md)
- [Audit User/Device Claims](audit-user-device-claims.md)
- [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
@@ -59,10 +81,15 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
- [Audit Network Policy Server](audit-network-policy-server.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
+
**Object Access**
+
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
+
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
+
This category includes the following subcategories:
+
- [Audit Application Generated](audit-application-generated.md)
- [Audit Certification Services](audit-certification-services.md)
- [Audit Detailed File Share](audit-detailed-file-share.md)
@@ -77,35 +104,46 @@ This category includes the following subcategories:
- [Audit Removable Storage](audit-removable-storage.md)
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
+
**Policy Change**
+
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
+
- [Audit Audit Policy Change](audit-audit-policy-change.md)
- [Audit Authentication Policy Change](audit-authentication-policy-change.md)
- [Audit Authorization Policy Change](audit-authorization-policy-change.md)
- [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
**Privilege Use**
+
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
+
- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
+
**System**
+
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
+
- [Audit IPsec Driver](audit-ipsec-driver.md)
- [Audit Other System Events](audit-other-system-events.md)
- [Audit Security State Change](audit-security-state-change.md)
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
+
**Global Object Access**
+
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
+
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
-**Note**
-If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
+
+> **Note:** If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object
+Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
-
-
diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
index dfc256208f..5f46d91a0d 100644
--- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@@ -2,90 +2,128 @@
title: Backup the TPM recovery Information to AD DS (Windows 10)
description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
-ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.pagetype: security
author: brianlic-msft
---
+
# Backup the TPM recovery Information to AD DS
+
**Applies to**
- Windows 10
+
This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
+
## About administering TPM remotely
+
Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers, without having to be present at the computer.
+
You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**.
-**Note**
-The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored.
+
+> **Note:** The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored.
Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment.
+
In this topic:
+
1. [Check status of prerequisites](#bkmk-prereqs)
2. [Set permissions to back up password information](#bkmk-setperms)
3. [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp)
4. [Use AD DS to recover TPM information](#bkmk-useit)
5. [Sample scripts](#bkmk-adds-tpm-scripts)
+
## Check status of prerequisites
+
Before you begin your backup, ensure that the following prerequisites are met:
+
1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema.
- **Tip**
- For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+ > **Tip:** For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions.
+
## Set permissions to back up password information
+
This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added.
+
This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions:
+
- You have domain administrator credentials to set permissions for the top-level domain object.
- Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN.
- **Note**
- You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
+
+ > **Note:** You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
`LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`
- Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects.
- Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
+
+ Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions.
+ You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
+
**To add an ACE to allow TPM recovery information backup**
+
1. Open the sample script **Add-TPMSelfWriteACE.vbs**.
+
The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name.
+
2. Save your modifications to the script.
3. Type the following at a command prompt, and then press ENTER:
+
**cscript Add-TPMSelfWriteACE.vbs**
+
This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain.
Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary.
+
**Manage ACEs configured on TPM schema objects**
+
1. Open the sample script **List-ACEs.vbs**.
2. Modify **List-ACEs.vbs**.
+
You must modify:
- Value of **strPathToDomain**: Use your domain name.
- Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects.
+
3. Save your modifications to the script.
4. Type the following at a command prompt, and then press ENTER:
+
**cscript List-ACEs.vbs**
+
With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain.
+
## Configure Group Policy to back up TPM recovery information in AD DS
+
Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain.
+
**To enable local policy setting to back up TPM recovery information to AD DS**
+
1. Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group.
2. Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**.
3. Click **Trusted Platform Module Services**.
4. Double-click **Turn on TPM backup to Active Directory Domain Services**.
5. Click **Enabled**, and then click **OK**.
-**Important**
-When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
+> **Important:** When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
## Use AD DS to recover TPM information
+
When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required.
+
**To obtain TPM owner backup information from AD DS and create a password file**
+
1. Sign in to a domain controller by using domain administrator credentials.
2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
+
The expected output is a string that is the hash of the password that you created earlier.
- **Note**
- If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
+ > **Note:** If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
+
The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.
5. Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step.
+
``` syntax