deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fixing spacing issues

Browse Source
This commit is contained in:
Brian Lich
2016-05-19 16:18:36 -07:00
parent eb9290389d
commit 15e9cedb16
15 changed files with 760 additions and 1793 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
windows/keep-secure/advanced-security-audit-policy-settings.md
View File

@ -2,52 +2,74 @@
title: Advanced security audit policy settings (Windows 10)
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Advanced security audit policy settings
**Applies to**
- Windows 10
This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
**Account Logon**
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
**Account Management**
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
- [Audit Application Group Management](audit-application-group-management.md)
- [Audit Computer Account Management](audit-computer-account-management.md)
- [Audit Distribution Group Management](audit-distribution-group-management.md)
- [Audit Other Account Management Events](audit-other-account-management-events.md)
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
**Detailed Tracking**
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
- [Audit DPAPI Activity](audit-dpapi-activity.md)
- [Audit PNP activity](audit-pnp-activity.md)
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
**DS Access**
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
- [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
- [Audit Directory Service Access](audit-directory-service-access.md)
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
**Logon/Logoff**
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
- [Audit Account Lockout](audit-account-lockout.md)
- [Audit User/Device Claims](audit-user-device-claims.md)
- [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
@ -59,10 +81,15 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
- [Audit Network Policy Server](audit-network-policy-server.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
**Object Access**
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
This category includes the following subcategories:
- [Audit Application Generated](audit-application-generated.md)
- [Audit Certification Services](audit-certification-services.md)
- [Audit Detailed File Share](audit-detailed-file-share.md)
@ -77,35 +104,46 @@ This category includes the following subcategories:
- [Audit Removable Storage](audit-removable-storage.md)
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
**Policy Change**
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
- [Audit Audit Policy Change](audit-audit-policy-change.md)
- [Audit Authentication Policy Change](audit-authentication-policy-change.md)
- [Audit Authorization Policy Change](audit-authorization-policy-change.md)
- [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
**Privilege Use**
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
**System**
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
- [Audit IPsec Driver](audit-ipsec-driver.md)
- [Audit Other System Events](audit-other-system-events.md)
- [Audit Security State Change](audit-security-state-change.md)
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
**Global Object Access**
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
**Note**  
If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
> **Note:**  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object
Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
 
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
 
 

90
windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
View File

@ -2,90 +2,128 @@
title: Backup the TPM recovery Information to AD DS (Windows 10)
description: This topic for the IT professional describes how to back up a computers Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Backup the TPM recovery Information to AD DS
**Applies to**
- Windows 10
This topic for the IT professional describes how to back up a computers Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
## About administering TPM remotely
Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturers defaults when they decommission or repurpose computers, without having to be present at the computer.
You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**.
**Note**  
The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64encoded. The actual owner password is not stored.
> **Note:**  The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64encoded. The actual owner password is not stored.
 
Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment.
In this topic:
1. [Check status of prerequisites](#bkmk-prereqs)
2. [Set permissions to back up password information](#bkmk-setperms)
3. [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp)
4. [Use AD DS to recover TPM information](#bkmk-useit)
5. [Sample scripts](#bkmk-adds-tpm-scripts)
## <a href="" id="bkmk-prereqs"></a>Check status of prerequisites
Before you begin your backup, ensure that the following prerequisites are met:
1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema.
**Tip**  
For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
> **Tip:**  For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
 
2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions.
## <a href="" id="bkmk-setperms"></a>Set permissions to back up password information
This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added.
This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions:
- You have domain administrator credentials to set permissions for the top-level domain object.
- Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN.
**Note**  
You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
> **Note:**  You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
`LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`
 
- Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects.
Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions.
You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
**To add an ACE to allow TPM recovery information backup**
1. Open the sample script **Add-TPMSelfWriteACE.vbs**.
The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name.
2. Save your modifications to the script.
3. Type the following at a command prompt, and then press ENTER:
**cscript Add-TPMSelfWriteACE.vbs**
This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain.
Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary.
**Manage ACEs configured on TPM schema objects**
1. Open the sample script **List-ACEs.vbs**.
2. Modify **List-ACEs.vbs**.
You must modify:
- Value of **strPathToDomain**: Use your domain name.
- Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects.
3. Save your modifications to the script.
4. Type the following at a command prompt, and then press ENTER:
**cscript List-ACEs.vbs**
With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain.
## <a href="" id="bkmk-configuregp"></a>Configure Group Policy to back up TPM recovery information in AD DS
Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain.
**To enable local policy setting to back up TPM recovery information to AD DS**
1. Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group.
2. Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**.
3. Click **Trusted Platform Module Services**.
4. Double-click **Turn on TPM backup to Active Directory Domain Services**.
5. Click **Enabled**, and then click **OK**.
**Important**  
When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
> **Important:**  When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
 
## <a href="" id="bkmk-useit"></a>Use AD DS to recover TPM information
When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required.
**To obtain TPM owner backup information from AD DS and create a password file**
1. Sign in to a domain controller by using domain administrator credentials.
2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
The expected output is a string that is the hash of the password that you created earlier.
**Note**  
If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
> **Note:**  If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.
 
5. Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!--
@ -101,13 +139,19 @@ When you need to recover the TPM owner information from AD DS and use it to man
</tpmOwnerData>
```
6. Save this file with a .tpm extension on a removable storage device, such as a USB flash drive. When you access the TPM, and you are required to provide the TPM owner password, choose the option for reading the password from a file and provide the path to this file.
## <a href="" id="bkmk-adds-tpm-scripts"></a>Sample scripts
You can use all or portions of the following sample scripts, which are used in the preceding procedures, to configure AD DS for backing up TPM recovery information. Customization is required depending on how your environment is configured.
- [Add-TPMSelfWriteACE.vbs: Use to add the access control entry (ACE) for the TPM to AD DS](#bkmk-add-tpmselfwriteace)
- [List-ACEs.vbs: Use to list or remove the ACEs that are configured on BitLocker and TPM schema objects](#bkmk-list-aces)
- [Get-TPMOwnerInfo.vbs: Use to retrieve the TPM recovery information from AD DS for a particular computer](#bkmk-get-tpmownerinfo)
### <a href="" id="bkmk-add-tpmselfwriteace"></a>Add-TPMSelfWriteACE.vbs
This script adds the access control entry (ACE) for the TPM to AD DS so that the computer can back up TPM recovery information in AD DS.
``` syntax
'===============================================================================
'
@ -203,8 +247,11 @@ objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo
WScript.Echo "SUCCESS!"
```
### <a href="" id="bkmk-list-aces"></a>List-ACEs.vbs
This script lists or removes the ACEs that are configured on BitLocker and TPM schema objects for the top-level domain. This enables you to verify that the expected ACEs have been added appropriately or to remove any ACEs that are related to BitLocker or the TPM, if necessary.
``` syntax
'===============================================================================
'
@ -379,8 +426,11 @@ else
end if
end if
```
### <a href="" id="bkmk-get-tpmownerinfo"></a>Get-TPMOwnerInfo.vbs
This script retrieves TPM recovery information from AD DS for a particular computer so that you can verify that only domain administrators (or delegated roles) can read backed up TPM recovery information and verify that the information is being backed up correctly.
``` syntax
'=================================================================================
'
@ -499,12 +549,12 @@ Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _
strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
```
## Additional resources
[Trusted Platform Module technology overview](trusted-platform-module-overview.md)
[TPM fundamentals](tpm-fundamentals.md)
[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
[Prepare your organization for BitLocker: Planning and Policies](http://technet.microsoft.com/library/jj592683.aspx), see TPM considerations
 
 
- [Trusted Platform Module technology overview](trusted-platform-module-overview.md)
- [TPM fundamentals](tpm-fundamentals.md)
- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
- [Prepare your organization for BitLocker: Planning and Policies](http://technet.microsoft.com/library/jj592683.aspx), see TPM considerations

14
windows/keep-secure/basic-audit-account-logon-events.md
View File

@ -2,22 +2,31 @@
title: Audit account logon events (Windows 10)
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit account logon events
**Applies to**
- Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default**: Success
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Logon events | Description |
|--------------|--------------------------------------------------------------------------------------------------------------------------------------|
| 672 | An authentication service (AS) ticket was successfully issued and validated. |
@ -32,6 +41,7 @@ You can configure this security setting by opening the appropriate policy under
| 683 | A user disconnected a terminal server session without logging off. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

262
windows/keep-secure/basic-audit-account-management.md
View File

@ -2,226 +2,86 @@
title: Audit account management (Windows 10)
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit account management
**Applies to**
- Windows 10
Determines whether to audit each event of account management on a device.
Examples of account management events include:
- A user account or group is created, changed, or deleted.
- A user account is renamed, disabled, or enabled.
- A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Account management events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">624</td>
<td align="left">A user account was created.</td>
</tr>
<tr class="even">
<td align="left">627</td>
<td align="left">A user password was changed.</td>
</tr>
<tr class="odd">
<td align="left">628</td>
<td align="left">A user password was set.</td>
</tr>
<tr class="even">
<td align="left">630</td>
<td align="left">A user account was deleted.</td>
</tr>
<tr class="odd">
<td align="left">631</td>
<td align="left">A global group was created.</td>
</tr>
<tr class="even">
<td align="left">632</td>
<td align="left">A member was added to a global group.</td>
</tr>
<tr class="odd">
<td align="left">633</td>
<td align="left">A member was removed from a global group.</td>
</tr>
<tr class="even">
<td align="left">634</td>
<td align="left">A global group was deleted.</td>
</tr>
<tr class="odd">
<td align="left">635</td>
<td align="left">A new local group was created.</td>
</tr>
<tr class="even">
<td align="left">636</td>
<td align="left">A member was added to a local group.</td>
</tr>
<tr class="odd">
<td align="left">637</td>
<td align="left">A member was removed from a local group.</td>
</tr>
<tr class="even">
<td align="left">638</td>
<td align="left">A local group was deleted.</td>
</tr>
<tr class="odd">
<td align="left">639</td>
<td align="left">A local group account was changed.</td>
</tr>
<tr class="even">
<td align="left">641</td>
<td align="left">A global group account was changed.</td>
</tr>
<tr class="odd">
<td align="left">642</td>
<td align="left">A user account was changed</td>
</tr>
<tr class="even">
<td align="left">643</td>
<td align="left">A domain policy was modified.</td>
</tr>
<tr class="odd">
<td align="left">644</td>
<td align="left">A user account was auto locked.</td>
</tr>
<tr class="even">
<td align="left">645</td>
<td align="left">A computer account was created.</td>
</tr>
<tr class="odd">
<td align="left">646</td>
<td align="left">A computer account was changed.</td>
</tr>
<tr class="even">
<td align="left">647</td>
<td align="left">A computer account was deleted.</td>
</tr>
<tr class="odd">
<td align="left">648</td>
<td align="left">A local security group with security disabled was created.
<div class="alert">
<strong>Note</strong>  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">649</td>
<td align="left">A local security group with security disabled was changed.</td>
</tr>
<tr class="odd">
<td align="left">650</td>
<td align="left">A member was added to a security-disabled local security group.</td>
</tr>
<tr class="even">
<td align="left">651</td>
<td align="left">A member was removed from a security-disabled local security group.</td>
</tr>
<tr class="odd">
<td align="left">652</td>
<td align="left">A security-disabled local group was deleted.</td>
</tr>
<tr class="even">
<td align="left">653</td>
<td align="left">A security-disabled global group was created.</td>
</tr>
<tr class="odd">
<td align="left">645</td>
<td align="left">A security-disabled global group was changed.</td>
</tr>
<tr class="even">
<td align="left">655</td>
<td align="left">A member was added to a security-disabled global group.</td>
</tr>
<tr class="odd">
<td align="left">656</td>
<td align="left">A member was removed from a security-disabled global group.</td>
</tr>
<tr class="even">
<td align="left">657</td>
<td align="left">A security-disabled global group was deleted.</td>
</tr>
<tr class="odd">
<td align="left">658</td>
<td align="left">A security-enabled universal group was created.</td>
</tr>
<tr class="even">
<td align="left">659</td>
<td align="left">A security-enabled universal group was changed.</td>
</tr>
<tr class="odd">
<td align="left">660</td>
<td align="left">A member was added to a security-enabled universal group.</td>
</tr>
<tr class="even">
<td align="left">661</td>
<td align="left">A member was removed from a security-enabled universal group.</td>
</tr>
<tr class="odd">
<td align="left">662</td>
<td align="left">A security-enabled universal group was deleted.</td>
</tr>
<tr class="even">
<td align="left">663</td>
<td align="left">A security-disabled universal group was created.</td>
</tr>
<tr class="odd">
<td align="left">664</td>
<td align="left">A security-disabled universal group was changed.</td>
</tr>
<tr class="even">
<td align="left">665</td>
<td align="left">A member was added to a security-disabled universal group.</td>
</tr>
<tr class="odd">
<td align="left">666</td>
<td align="left">A member was removed from a security-disabled universal group.</td>
</tr>
<tr class="even">
<td align="left">667</td>
<td align="left">A security-disabled universal group was deleted.</td>
</tr>
<tr class="odd">
<td align="left">668</td>
<td align="left">A group type was changed.</td>
</tr>
<tr class="even">
<td align="left">684</td>
<td align="left">Set the security descriptor of members of administrative groups.</td>
</tr>
<tr class="odd">
<td align="left">685</td>
<td align="left">Set the security descriptor of members of administrative groups.
<div class="alert">
<strong>Note</strong>  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
</div>
<div>
 
</div></td>
</tr>
</tbody>
</table>
| Account management events | Description |
| - | - |
| 624 | A user account was created.|
| 627 | A user password was changed.|
| 628 | A user password was set. |
| 630 | A user account was deleted.|
| 631 | A global group was created. |
| 632 | A member was added to a global group.|
| 633 | A member was removed from a global group.|
| 634 | A global group was deleted. |
| 635 | A new local group was created.|
| 636 | A member was added to a local group.|
| 637 | A member was removed from a local group.|
| 638 | A local group was deleted. |
| 639 | A local group account was changed.|
| 641 | A global group account was changed.|
| 642 | A user account was changed. |
| 643 | A domain policy was modified. |
| 644 | A user account was auto locked. |
| 645 | A computer account was created. |
| 646 | A computer account was changed. |
| 647 | A computer account was deleted. |
| 648 | A local security group with security disabled was created.<br>**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | |
| 649 | A local security group with security disabled was changed. |
| 650 | A member was added to a security-disabled local security group. |
| 651 | A member was removed from a security-disabled local security group. |
| 652 | A security-disabled local group was deleted. |
| 653 | A security-disabled global group was created. |
| 645 | A security-disabled global group was changed. |
| 655 | A member was added to a security-disabled global group. |
| 656 | A member was removed from a security-disabled global group. |
| 657 | A security-disabled global group was deleted. |
| 658 | A security-enabled universal group was created. |
| 659 | A security-enabled universal group was changed. |
| 660 | A member was added to a security-enabled universal group. |
| 661 | A member was removed from a security-enabled universal group. |
| 662 | A security-enabled universal group was deleted. |
| 663 | A security-disabled universal group was created. |
| 664 | A security-disabled universal group was changed. |
| 665 | A member was added to a security-disabled universal group. |
| 666 | A member was removed from a security-disabled universal group. |
| 667 | A security-disabled universal group was deleted. |
| 668 | A group type was changed. |
| 684 | Set the security descriptor of members of administrative groups. |
| 685 | Set the security descriptor of members of administrative groups.<br>**Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.|
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

19
windows/keep-secure/basic-audit-directory-service-access.md
View File

@ -2,33 +2,42 @@
title: Audit directory service access (Windows 10)
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit directory service access
**Applies to**
- Windows 10
\[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Note**  
You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
> **Note:**  You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
 
**Default:**
- Success on domain controllers.
- Undefined for a member server.
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
There is only one directory service access event, which is identical to the Object Access security event message 566.
| Directory service access events | Description |
|---------------------------------|----------------------------------------|
| 566 | A generic object operation took place. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

41
windows/keep-secure/basic-audit-logon-events.md
View File

@ -2,24 +2,32 @@
title: Audit logon events (Windows 10)
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit logon events
**Applies to**
- Windows 10
\[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
Determines whether to audit each instance of a user logging on to or logging off from a device.
Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more info about account logon events, see [Audit account logon events](basic-audit-account-logon-events.md).
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Logon events | Description |
|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Logon events | Description |
| - | - |
| 528 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 529 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
| 530 | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. |
@ -48,20 +56,23 @@ You can configure this security setting by opening the appropriate policy under
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
 
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.
| Logon type | Logon title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| Logon type | Logon title | Description |
| - | - | - |
| 2 | Interactive | A user logged on to this computer.|
| 3 | Network | A user or computer logged on to this computer from the network.|
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.|
| 5 | Service | A service was started by the Service Control Manager.|
| 7 | Unlock | This workstation was unlocked.|
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

257
windows/keep-secure/basic-audit-object-access.md
View File

@ -2,221 +2,78 @@
title: Audit object access (Windows 10)
description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit object access
**Applies to**
- Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Note**  You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
> **Note:**  You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
 
**Default:** No auditing.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Object access events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">560</td>
<td align="left">Access was granted to an already existing object.</td>
</tr>
<tr class="even">
<td align="left">562</td>
<td align="left">A handle to an object was closed.</td>
</tr>
<tr class="odd">
<td align="left">563</td>
<td align="left">An attempt was made to open an object with the intent to delete it.
<div class="alert">
<strong>Note</strong>  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">564</td>
<td align="left">A protected object was deleted.</td>
</tr>
<tr class="odd">
<td align="left">565</td>
<td align="left">Access was granted to an already existing object type.</td>
</tr>
<tr class="even">
<td align="left">567</td>
<td align="left">A permission associated with a handle was used.
<div class="alert">
<strong>Note</strong>  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left">568</td>
<td align="left">An attempt was made to create a hard link to a file that is being audited.</td>
</tr>
<tr class="even">
<td align="left">569</td>
<td align="left">The resource manager in Authorization Manager attempted to create a client context.</td>
</tr>
<tr class="odd">
<td align="left">570</td>
<td align="left">A client attempted to access an object.
<div class="alert">
<strong>Note</strong>  An event will be generated for every attempted operation on the object.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">571</td>
<td align="left">The client context was deleted by the Authorization Manager application.</td>
</tr>
<tr class="odd">
<td align="left">572</td>
<td align="left">The administrator manager initialized the application.</td>
</tr>
<tr class="even">
<td align="left">772</td>
<td align="left">The certificate manager denied a pending certificate request.</td>
</tr>
<tr class="odd">
<td align="left">773</td>
<td align="left">Certificate Services received a resubmitted certificate request.</td>
</tr>
<tr class="even">
<td align="left">774</td>
<td align="left">Certificate Services revoked a certificate.</td>
</tr>
<tr class="odd">
<td align="left">775</td>
<td align="left">Certificate Services received a request to publish the certificate revocation list (CRL).</td>
</tr>
<tr class="even">
<td align="left">776</td>
<td align="left">Certificate Services published the certificate revocation list (CRL).</td>
</tr>
<tr class="odd">
<td align="left">777</td>
<td align="left">A certificate request extension was made.</td>
</tr>
<tr class="even">
<td align="left">778</td>
<td align="left">One or more certificate request attributes changed.</td>
</tr>
<tr class="odd">
<td align="left">779</td>
<td align="left">Certificate Services received a request to shutdown.</td>
</tr>
<tr class="even">
<td align="left">780</td>
<td align="left">Certificate Services backup started.</td>
</tr>
<tr class="odd">
<td align="left">781</td>
<td align="left">Certificate Services backup completed</td>
</tr>
<tr class="even">
<td align="left">782</td>
<td align="left">Certificate Services restore started.</td>
</tr>
<tr class="odd">
<td align="left">783</td>
<td align="left">Certificate Services restore completed.</td>
</tr>
<tr class="even">
<td align="left">784</td>
<td align="left">Certificate Services started.</td>
</tr>
<tr class="odd">
<td align="left">785</td>
<td align="left">Certificate Services stopped.</td>
</tr>
<tr class="even">
<td align="left">786</td>
<td align="left">The security permissions for Certificate Services changed.</td>
</tr>
<tr class="odd">
<td align="left">787</td>
<td align="left">Certificate Services retrieved an archived key.</td>
</tr>
<tr class="even">
<td align="left">788</td>
<td align="left">Certificate Services imported a certificate into its database.</td>
</tr>
<tr class="odd">
<td align="left">789</td>
<td align="left">The audit filter for Certificate Services changed.</td>
</tr>
<tr class="even">
<td align="left">790</td>
<td align="left">Certificate Services received a certificate request.</td>
</tr>
<tr class="odd">
<td align="left">791</td>
<td align="left">Certificate Services approved a certificate request and issued a certificate.</td>
</tr>
<tr class="even">
<td align="left">792</td>
<td align="left">Certificate Services denied a certificate request.</td>
</tr>
<tr class="odd">
<td align="left">793</td>
<td align="left">Certificate Services set the status of a certificate request to pending.</td>
</tr>
<tr class="even">
<td align="left">794</td>
<td align="left">The certificate manager settings for Certificate Services changed.</td>
</tr>
<tr class="odd">
<td align="left">795</td>
<td align="left">A configuration entry changed in Certificate Services.</td>
</tr>
<tr class="even">
<td align="left">796</td>
<td align="left">A property of Certificate Services changed.</td>
</tr>
<tr class="odd">
<td align="left">797</td>
<td align="left">Certificate Services archived a key.</td>
</tr>
<tr class="even">
<td align="left">798</td>
<td align="left">Certificate Services imported and archived a key.</td>
</tr>
<tr class="odd">
<td align="left">799</td>
<td align="left">Certificate Services published the CA certificate to Active Directory.</td>
</tr>
<tr class="even">
<td align="left">800</td>
<td align="left">One or more rows have been deleted from the certificate database.</td>
</tr>
<tr class="odd">
<td align="left">801</td>
<td align="left">Role separation enabled.</td>
</tr>
</tbody>
</table>
 
| Object access events | Description |
| - | - |
| 560 | Access was granted to an already existing object.|
| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.<br>**Note: **  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().||
| 564 | A protected object was deleted. |
| 565 | Access was granted to an already existing object type.|
| 567 | A permission associated with a handle was used.<br>**Note: **  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.|
| 568 | An attempt was made to create a hard link to a file that is being audited. |
| 569 | The resource manager in Authorization Manager attempted to create a client context.|
| 570 | A client attempted to access an object.<br>**Note:**  An event will be generated for every attempted operation on the object.|
| 571 | The client context was deleted by the Authorization Manager application. |
| 572 | The administrator manager initialized the application. |
| 772 | The certificate manager denied a pending certificate request.|
| 773 | Certificate Services received a resubmitted certificate request.|
| 774 | Certificate Services revoked a certificate.|
| 775 | Certificate Services received a request to publish the certificate revocation list (CRL).|
| 776 | Certificate Services published the certificate revocation list (CRL). |
| 777 | A certificate request extension was made. |
| 778 | One or more certificate request attributes changed.|
| 779 | Certificate Services received a request to shutdown.|
| 780 | Certificate Services backup started. |
| 781 | Certificate Services backup completed |
| 782 | Certificate Services restore started. |
| 783 | Certificate Services restore completed.|
| 784 | Certificate Services started. |
| 785 | Certificate Services stopped. |
| 786 | The security permissions for Certificate Services changed.|
| 787 | Certificate Services retrieved an archived key. |
| 788 | Certificate Services imported a certificate into its database.|
| 789 | The audit filter for Certificate Services changed. |
| 790 | Certificate Services received a certificate request.|
| 791 | Certificate Services approved a certificate request and issued a certificate.|
| 792 | Certificate Services denied a certificate request. |
| 793 | Certificate Services set the status of a certificate request to pending.|
| 794 | The certificate manager settings for Certificate Services changed. |
| 795 | A configuration entry changed in Certificate Services. |
| 796 | A property of Certificate Services changed. |
| 797 | Certificate Services archived a key. |
| 798 | Certificate Services imported and archived a key.|
| 799 | Certificate Services published the CA certificate to Active Directory.|
| 800 | One or more rows have been deleted from the certificate database. |
| 801 | Role separation enabled. |
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

160
windows/keep-secure/basic-audit-policy-change.md
View File

@ -2,147 +2,59 @@
title: Audit policy change (Windows 10)
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit policy change
**Applies to**
- Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Policy change events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">608</td>
<td align="left">A user right was assigned.</td>
</tr>
<tr class="even">
<td align="left">609</td>
<td align="left">A user right was removed.</td>
</tr>
<tr class="odd">
<td align="left">610</td>
<td align="left">A trust relationship with another domain was created.</td>
</tr>
<tr class="even">
<td align="left">611</td>
<td align="left">A trust relationship with another domain was removed.</td>
</tr>
<tr class="odd">
<td align="left">612</td>
<td align="left">An audit policy was changed.</td>
</tr>
<tr class="even">
<td align="left">613</td>
<td align="left">An Internet Protocol security (IPSec) policy agent started.</td>
</tr>
<tr class="odd">
<td align="left">614</td>
<td align="left">An IPSec policy agent was disabled.</td>
</tr>
<tr class="even">
<td align="left">615</td>
<td align="left">An IPSec policy agent changed.</td>
</tr>
<tr class="odd">
<td align="left">616</td>
<td align="left">An IPSec policy agent encountered a potentially serious failure.</td>
</tr>
<tr class="even">
<td align="left">617</td>
<td align="left">A Kerberos policy changed.</td>
</tr>
<tr class="odd">
<td align="left">618</td>
<td align="left">Encrypted Data Recovery policy changed.</td>
</tr>
<tr class="even">
<td align="left">620</td>
<td align="left">A trust relationship with another domain was modified.</td>
</tr>
<tr class="odd">
<td align="left">621</td>
<td align="left">System access was granted to an account.</td>
</tr>
<tr class="even">
<td align="left">622</td>
<td align="left">System access was removed from an account.</td>
</tr>
<tr class="odd">
<td align="left">623</td>
<td align="left">Per user auditing policy was set for a user.</td>
</tr>
<tr class="even">
<td align="left">625</td>
<td align="left">Per user audit policy was refreshed.</td>
</tr>
<tr class="odd">
<td align="left">768</td>
<td align="left">A collision was detected between a namespace element in one forest and a namespace element in another forest.
<div class="alert">
<strong>Note</strong>  When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">769</td>
<td align="left">Trusted forest information was added.
<div class="alert">
<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left">770</td>
<td align="left">Trusted forest information was deleted.
<div class="alert">
<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">771</td>
<td align="left">Trusted forest information was modified.
<div class="alert">
<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left">805</td>
<td align="left">The event log service read the security log configuration for a session.</td>
</tr>
</tbody>
</table>
| Policy change events | Description |
| - | - |
| 608 | A user right was assigned.|
| 609 | A user right was removed. |
| 610 | A trust relationship with another domain was created.|
| 611 | A trust relationship with another domain was removed.|
| 612 | An audit policy was changed.|
| 613 | An Internet Protocol security (IPSec) policy agent started.|
| 614 | An IPSec policy agent was disabled. |
| 615 | An IPSec policy agent changed. |
| 616 | An IPSec policy agent encountered a potentially serious failure.|
| 617 | A Kerberos policy changed. |
| 618 | Encrypted Data Recovery policy changed.|
| 620 | A trust relationship with another domain was modified.|
| 621 | System access was granted to an account. |
| 622 | System access was removed from an account.|
| 623 | Per user auditing policy was set for a user.|
| 625 | Per user audit policy was refreshed. |
| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.<br>**Note**  When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.|
| 769 | Trusted forest information was added.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 770 | Trusted forest information was deleted.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 771 | Trusted forest information was modified.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 805 | The event log service read the security log configuration for a session.
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

53
windows/keep-secure/basic-audit-privilege-use.md
View File

@ -2,20 +2,28 @@
title: Audit privilege use (Windows 10)
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit privilege use
**Applies to**
- Windows 10
Determines whether to audit each instance of a user exercising a user right.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:** No auditing.
Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for **Audit privilege use**. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the **FullPrivilegeAuditing** registry key.
- Bypass traverse checking
- Debug programs
- Create a token object
@ -23,42 +31,19 @@ Audits are not generated for use of the following user rights, even if success a
- Generate security audits
- Back up files and directories
- Restore files and directories
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Privilege use events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">576</td>
<td align="left">Specified privileges were added to a user's access token.
<div class="alert">
<strong>Note</strong>  This event is generated when the user logs on.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">577</td>
<td align="left">A user attempted to perform a privileged system service operation.</td>
</tr>
<tr class="odd">
<td align="left">578</td>
<td align="left">Privileges were used on an already open handle to a protected object.</td>
</tr>
</tbody>
</table>
| Privilege use events | Description |
| - | - |
| 576 | Specified privileges were added to a user's access token.<br>**Note:**  This event is generated when the user logs on.|
| 577 | A user attempted to perform a privileged system service operation. |
| 578 | Privileges were used on an already open handle to a protected object. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

91
windows/keep-secure/basic-audit-process-tracking.md
View File

@ -2,87 +2,46 @@
title: Audit process tracking (Windows 10)
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit process tracking
**Applies to**
- Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate an audit entry when the process being tracked fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:** No auditing.
## Configure this this security setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Process tracking events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">592</td>
<td align="left">A new process was created.</td>
</tr>
<tr class="even">
<td align="left">593</td>
<td align="left">A process exited.</td>
</tr>
<tr class="odd">
<td align="left">594</td>
<td align="left">A handle to an object was duplicated.</td>
</tr>
<tr class="even">
<td align="left">595</td>
<td align="left">Indirect access to an object was obtained.</td>
</tr>
<tr class="odd">
<td align="left">596</td>
<td align="left">A data protection master key was backed up.
<div class="alert">
<strong>Note</strong>  The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">597</td>
<td align="left">A data protection master key was recovered from a recovery server.</td>
</tr>
<tr class="odd">
<td align="left">598</td>
<td align="left">Auditable data was protected.</td>
</tr>
<tr class="even">
<td align="left">599</td>
<td align="left">Auditable data was unprotected.</td>
</tr>
<tr class="odd">
<td align="left">600</td>
<td align="left">A process was assigned a primary token.</td>
</tr>
<tr class="even">
<td align="left">601</td>
<td align="left">A user attempted to install a service.</td>
</tr>
<tr class="odd">
<td align="left">602</td>
<td align="left">A scheduler job was created.</td>
</tr>
</tbody>
</table>
| Process tracking events | Description |
| - | - |
| 592 | A new process was created.|
| 593 | A process exited. |
| 594 | A handle to an object was duplicated.|
| 595 | Indirect access to an object was obtained.|
| 596 | A data protection master key was backed up.<br>**Note:** The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.|
| 597 | A data protection master key was recovered from a recovery server.|
| 598 | Auditable data was protected. |
| 599 | Auditable data was unprotected.|
| 600 | A process was assigned a primary token.|
| 601 | A user attempted to install a service. |
| 602 | A scheduler job was created. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

84
windows/keep-secure/basic-audit-system-events.md
View File

@ -2,81 +2,47 @@
title: Audit system events (Windows 10)
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit system events
**Applies to**
- Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Logon events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">512</td>
<td align="left">Windows is starting up.</td>
</tr>
<tr class="even">
<td align="left">513</td>
<td align="left">Windows is shutting down.</td>
</tr>
<tr class="odd">
<td align="left">514</td>
<td align="left">An authentication package was loaded by the Local Security Authority.</td>
</tr>
<tr class="even">
<td align="left">515</td>
<td align="left">A trusted logon process has registered with the Local Security Authority.</td>
</tr>
<tr class="odd">
<td align="left">516</td>
<td align="left">Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.</td>
</tr>
<tr class="even">
<td align="left">517</td>
<td align="left">The audit log was cleared.</td>
</tr>
<tr class="odd">
<td align="left">518</td>
<td align="left">A notification package was loaded by the Security Accounts Manager.</td>
</tr>
<tr class="even">
<td align="left">519</td>
<td align="left">A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.</td>
</tr>
<tr class="odd">
<td align="left">520</td>
<td align="left">The system time was changed.
<div class="alert">
<strong>Note</strong>  This audit normally appears twice.
</div>
<div>
 
</div></td>
</tr>
</tbody>
</table>
 
| Logon events | Description |
| - | - |
| 512 | Windows is starting up. |
| 513 | Windows is shutting down. |
| 514 | An authentication package was loaded by the Local Security Authority.|
| 515 | A trusted logon process has registered with the Local Security Authority.|
| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
| 517 | The audit log was cleared. |
| 518 | A notification package was loaded by the Security Accounts Manager.|
| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
| 520 | The system time was changed.<br>**Note:**  This audit normally appears twice.|
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

47
windows/keep-secure/basic-security-audit-policies.md
View File

@ -2,17 +2,22 @@
title: Basic security audit policies (Windows 10)
description: Before you implement auditing, you must decide on an auditing policy.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Basic security audit policies
**Applies to**
- Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
The event categories that you can choose to audit are:
- Audit account logon events
- Audit account management
- Audit directory service access
@ -22,38 +27,16 @@ The event categories that you can choose to audit are:
- Audit privilege use
- Audit process tracking
- Audit system events
If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)</p></td>
<td align="left"><p>By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md)</p></td>
<td align="left"><p>You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[View the security event log](view-the-security-event-log.md)</p></td>
<td align="left"><p>The security log records each event as defined by the audit policies you set on each object.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Basic security audit policy settings](basic-security-audit-policy-settings.md)</p></td>
<td align="left"><p>Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.</p></td>
</tr>
</tbody>
</table>
 
| Topic | Description |
| - | - |
| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. |
| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. |
| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|
 
 

71
windows/keep-secure/basic-security-audit-policy-settings.md
View File

@ -2,69 +2,36 @@
title: Basic security audit policy settings (Windows 10)
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Basic security audit policy settings
**Applies to**
- Windows 10
Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Audit account logon events](basic-audit-account-logon-events.md)</p></td>
<td align="left"><p>Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Audit account management](basic-audit-account-management.md)</p></td>
<td align="left"><p>Determines whether to audit each event of account management on a device.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Audit directory service access](basic-audit-directory-service-access.md)</p></td>
<td align="left"><p>Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Audit logon events](basic-audit-logon-events.md)</p></td>
<td align="left"><p>Determines whether to audit each instance of a user logging on to or logging off from a device.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Audit object access](basic-audit-object-access.md)</p></td>
<td align="left"><p>Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Audit policy change](basic-audit-policy-change.md)</p></td>
<td align="left"><p>Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Audit privilege use](basic-audit-privilege-use.md)</p></td>
<td align="left"><p>Determines whether to audit each instance of a user exercising a user right.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Audit process tracking](basic-audit-process-tracking.md)</p></td>
<td align="left"><p>Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Audit system events](basic-audit-system-events.md)</p></td>
<td align="left"><p>Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.</p></td>
</tr>
</tbody>
</table>
| Topic | Description |
| - | - |
| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. |
| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. |
| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

1119
windows/keep-secure/bcd-settings-and-bitlocker.md
View File

File diff suppressed because it is too large Load Diff

197
windows/keep-secure/bitlocker-basic-deployment.md
View File

@ -2,36 +2,49 @@
title: BitLocker basic deployment (Windows 10)
description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# BitLocker basic deployment
**Applies to**
- Windows 10
This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
The following sections provide information that will help you put together your basic deployment plan for implementing BitLocker in your organization:
- [Using BitLocker to encrypt volumes](#bkmk-dep1)
- [Down-level compatibility](#bkmk-dep2)
- [Using manage-bde to encrypt volumes with BitLocker](#bkmk-dep3)
- [Using PowerShell to encrypt volumes with BitLocker](#bkmk-dep4)
## <a href="" id="bkmk-dep1"></a>Using BitLocker to encrypt volumes
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
**Note**  
For more info about using this tool, see [Bdehdcfg](http://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
> **Note:**  For more info about using this tool, see [Bdehdcfg](http://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
 
BitLocker encryption can be done using the following methods:
- BitLocker control panel
- Windows Explorer
- manage-bde command line interface
- BitLocker Windows PowerShell cmdlets
### Encrypting volumes using the BitLocker control panel
Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
### Operating system volume
Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
<table>
<colgroup>
@ -81,32 +94,53 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
 
Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive.
You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options:
- Encrypt used disk space only - Encrypts only disk space that contains data
- Encrypt entire drive - Encrypts the entire volume including free space
It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option.
**Note**  
Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
> **Note:**  Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
 
Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off.
### Data volume
Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard.
Unlike for operating system volumes, data volumes are not required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked.
After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it is recommended that used space only encryption is selected.
With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption.
Encryption status displays in the notification area or within the BitLocker control panel.
### <a href="" id="-onedrive-option-"></a> OneDrive option
There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Using BitLocker within Windows Explorer
Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
## <a href="" id="bkmk-dep2"></a>Down-level compatibility
The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented to a different version of Windows.
Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
<table>
<colgroup>
<col width="25%" />
@ -149,48 +183,66 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
</table>
 
### Encrypting volumes using the manage-bde command line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx).
Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
### Operating system volume
Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
**Determining volume status**
A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
``` syntax
manage-bde -status
```
`manage-bde -status`
This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
**Enabling BitLocker without a TPM**
For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process.
``` syntax
manage-bde protectors -add C: -startupkey E:
manage-bde -on C:
```
**Enabling BitLocker with a TPM only**
It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
``` syntax
manage-bde -on C:
```
`manage-bde -on C:`
This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
``` syntax
manage-bde -protectors -get <volume>
```
`manage-bde -protectors -get <volume>`
**Provisioning BitLocker with two protectors**
Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
``` syntax
manage-bde -protectors -add C: -pw -sid <user or group>
```
`manage-bde -protectors -add C: -pw -sid <user or group>`
This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
### Data volume
Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or users can choose to add protectors to the volume. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
**Enabling BitLocker with a password**
A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
``` syntax
manage-bde -protectors -add -pw C:
manage-bde -on C:
```
## <a href="" id="bkmk-dep3"></a>Using manage-bde to encrypt volumes with BitLocker
### Encrypting volumes using the BitLocker Windows PowerShell cmdlets
Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
<table>
<colgroup>
@ -322,12 +374,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
**Note**  
In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
> **Note:**  In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
 
``` syntax
Get-BitLockerVolume C: | fl
```
`Get-BitLockerVolume C: | fl`
If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
``` syntax
@ -339,138 +390,150 @@ Using this information, we can then remove the key protector for a specific volu
``` syntax
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
**Note**  
The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
> **Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
 
### Operating system volume
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
To enable BitLocker with just the TPM protector. This can be done using the command:
``` syntax
Enable-BitLocker C:
```
The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
``` syntax
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
```
### Data volume
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
``` syntax
$pw = Read-Host -AsSecureString
<user inputs password>
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
### Using a SID based protector in Windows PowerShell
The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
**Warning**  
The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
>**Warning:**  The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
 
To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
``` syntax
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
```
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
``` syntax
get-aduser -filter {samaccountname -eq "administrator"}
```
**Note**  
Use of this command requires the RSAT-AD-PowerShell feature.
> **Note:**  Use of this command requires the RSAT-AD-PowerShell feature.
 
**Tip**  
In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
 
In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
``` syntax
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
```
**Note**  
Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
> **Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
 
## <a href="" id="bkmk-dep4"></a>Using PowerShell to encrypt volumes with BitLocker
### Checking BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
### Checking BitLocker status with the control panel
Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume will display next to the volume description and drive letter. Available status return values with the control panel include:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Status</strong></p></td>
<td align="left"><p><strong>Description</strong></p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>On</strong></p></td>
<td align="left"><p>BitLocker is enabled for the volume</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Off</strong></p></td>
<td align="left"><p>BitLocker is not enabled for the volume</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Suspended</strong></p></td>
<td align="left"><p>BitLocker is suspended and not actively protecting the volume</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Waiting for Activation</strong></p></td>
<td align="left"><p>BitLocker is enabled with a clear protector key and requires further action to be fully protected</p></td>
</tr>
</tbody>
</table>
| Status | Description |
| - | - |
| **On**|BitLocker is enabled for the volume |
| **Off**| BitLocker is not enabled for the volume |
| **Suspended** | BitLocker is suspended and not actively protecting the volume |
| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
 
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
Once BitLocker protector activation is completed, the completion notice is displayed.
### Checking BitLocker status with manage-bde
Administrators who prefer a command line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
To check the status of a volume using manage-bde, use the following command:
``` syntax
manage-bde -status <volume>
```
**Note**  
If no volume letter is associated with the -status command, all volumes on the computer display their status.
> **Note:**  If no volume letter is associated with the -status command, all volumes on the computer display their status.
 
### Checking BitLocker status with Windows PowerShell
Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
``` syntax
Get-BitLockerVolume <volume> -Verbose | fl
```
This command will display information about the encryption method, volume type, key protectors, etc.
### Provisioning BitLocker during operating system deployment
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
### Decrypting BitLocker volumes
Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption should not occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We will discuss each method further below.
### Decrypting volumes using the BitLocker control panel applet
BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process.
Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel.
The control panel does not report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
### Decrypting volumes using the manage-bde command line interface
Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
``` syntax
manage-bde -off C:
```
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command:
``` syntax
manage-bde -status C:
```
### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is:
``` syntax
DisableBitLocker
```
If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
``` syntax
Disable-BitLocker -MountPoint E:,F:,G:
```
## See also
[Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
[BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
[BitLocker overview](bitlocker-overview.md)
- [Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker overview](bitlocker-overview.md)