mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge branch 'master' into whfbfaqchanges
This commit is contained in:
Gary Moore
GitHub
commit
196452bb8a
@ -15,7 +15,7 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 4/16/2017
|
||||
ms.date: 1/20/2021
|
||||
---
|
||||
|
||||
# Manage Windows Hello for Business in your organization
|
||||
@ -369,9 +369,11 @@ For more information about using the PIN recovery service for PIN reset see [Win
|
||||
|
||||
Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
|
||||
|
||||
Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source.
|
||||
Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy.
|
||||
|
||||
Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis.
|
||||
Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source.
|
||||
|
||||
All PIN complexity policies, are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis.
|
||||
|
||||
>[!NOTE]
|
||||
> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
|
||||
@ -382,8 +384,6 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr
|
||||
>
|
||||
>- Use Windows Hello for Business - Enabled
|
||||
>- User certificate for on-premises authentication - Enabled
|
||||
>- Require digits - Enabled
|
||||
>- Minimum PIN length - 6
|
||||
>
|
||||
>The following are configured using device MDM Policy:
|
||||
>
|
||||
@ -398,8 +398,10 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr
|
||||
>
|
||||
>- Use Windows Hello for Business - Enabled
|
||||
>- Use certificate for on-premises authentication - Enabled
|
||||
>- Require digits - Enabled
|
||||
>- Minimum PIN length - 6d
|
||||
>- MinimumPINLength - 8
|
||||
>- Digits - 1
|
||||
>- LowercaseLetters - 1
|
||||
>- SpecialCharacters - 1
|
||||
|
||||
## How to use Windows Hello for Business with Azure Active Directory
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@ description: This reference for IT professionals provides information about the
|
||||
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
|
||||
ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Advanced security audit policy settings
|
||||
|
||||
@ -4,7 +4,7 @@ description: This topic for the IT professional lists questions and answers abou
|
||||
ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Advanced security auditing FAQ
|
||||
|
||||
@ -4,7 +4,7 @@ description: Advanced security audit policy settings may appear to overlap with
|
||||
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Advanced security audit policies
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
|
||||
description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Appendix A: Security monitoring recommendations for many audit events
|
||||
|
||||
@ -4,7 +4,7 @@ description: Apply audit policies to individual files and folders on your comput
|
||||
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 07/25/2018
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Apply a basic audit policy on a file or folder
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 07/16/2018
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Account Lockout
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Application Generated
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Application Group Management
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Audit Policy Change
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Authentication Policy Change
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Authorization Policy Change
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Central Access Policy Staging
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Certification Services
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Computer Account Management
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Credential Validation
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Detailed Directory Service Replication
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Detailed File Share
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Directory Service Access
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Directory Service Changes
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Directory Service Replication
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Distribution Group Management
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit DPAPI Activity
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit File Share
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit File System
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Filtering Platform Connection
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Filtering Platform Packet Drop
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Filtering Platform Policy Change
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Group Membership
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Handle Manipulation
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 10/02/2018
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit IPsec Driver
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 10/02/2018
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit IPsec Extended Mode
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 10/02/2018
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit IPsec Main Mode
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 10/02/2018
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit IPsec Quick Mode
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Kerberos Authentication Service
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Kerberos Service Ticket Operations
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Kernel Object
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 07/16/2018
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Logoff
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Logon
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit MPSSVC Rule-Level Policy Change
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Network Policy Server
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Non-Sensitive Privilege Use
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Account Logon Events
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Account Management Events
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Logon/Logoff Events
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 05/29/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Object Access Events
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Policy Change Events
|
||||
|
||||
@ -2,16 +2,17 @@
|
||||
title: Audit Other Privilege Use Events (Windows 10)
|
||||
description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
|
||||
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
|
||||
ms.reviewer:
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other Privilege Use Events
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Other System Events
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit PNP Activity
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Process Creation
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Process Termination
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Registry
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Removable Storage
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit RPC Events
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit SAM
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 02/28/2019
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Security Group Management
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Security State Change
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Security System Extension
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Sensitive Privilege Use
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Special Logon
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit System Integrity
|
||||
|
||||
@ -5,7 +5,8 @@ manager: dansimp
|
||||
author: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit Token Right Adjusted
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit User Account Management
|
||||
|
||||
@ -6,12 +6,13 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dansimp
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit User/Device Claims
|
||||
|
||||
@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o
|
||||
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit account logon events
|
||||
|
||||
@ -4,7 +4,7 @@ description: Determines whether to audit each event of account management on a d
|
||||
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit account management
|
||||
|
||||
@ -4,7 +4,7 @@ description: Determines whether to audit the event of a user accessing an Active
|
||||
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit directory service access
|
||||
|
||||
@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o
|
||||
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit logon events
|
||||
|
||||
@ -4,7 +4,7 @@ description: The policy setting, Audit object access, determines whether to audi
|
||||
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit object access
|
||||
|
||||
@ -4,7 +4,7 @@ description: Determines whether to audit every incident of a change to user righ
|
||||
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit policy change
|
||||
|
||||
@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user exercising a us
|
||||
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit privilege use
|
||||
|
||||
@ -4,7 +4,7 @@ description: Determines whether to audit detailed tracking information for event
|
||||
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit process tracking
|
||||
|
||||
@ -4,7 +4,7 @@ description: Determines whether to audit when a user restarts or shuts down the
|
||||
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Audit system events
|
||||
|
||||
@ -4,7 +4,7 @@ description: Learn about basic security audit policies that specify the categori
|
||||
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Basic security audit policies
|
||||
|
||||
@ -4,7 +4,7 @@ description: Basic security audit policy settings are found under Computer Confi
|
||||
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Basic security audit policy settings
|
||||
|
||||
@ -4,7 +4,7 @@ description: By defining auditing settings for specific event categories, you ca
|
||||
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -15,6 +15,7 @@ audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Create a basic audit policy for an event category
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 1100(S) The event logging service has shut down. (Windows 10)
|
||||
description: Describes security event 1100(S) The event logging service has shut down.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 1100(S): The event logging service has shut down.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 1102(S) The audit log was cleared. (Windows 10)
|
||||
description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S).
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 1102(S): The audit log was cleared.
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: 1104(S) The security log is now full. (Windows 10)
|
||||
description: This event generates every time Windows security log becomes full and the event log retention method is set to "Do not overwrite events."
|
||||
description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 1104(S): The security log is now full.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 1105(S) Event log automatic backup. (Windows 10)
|
||||
description: This event generates every time Windows security log becomes full and new event log file was created.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 1105(S): Event log automatic backup
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: The event logging service encountered an error (Windows 10)
|
||||
description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4608(S) Windows is starting up. (Windows 10)
|
||||
description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4608(S): Windows is starting up.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10)
|
||||
description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4610(S): An authentication package has been loaded by the Local Security Authority.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10)
|
||||
description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10)
|
||||
description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10)
|
||||
description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4614(S): A notification package has been loaded by the Security Account Manager.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4615(S) Invalid use of LPC port. (Windows 10)
|
||||
description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4615(S): Invalid use of LPC port.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4616(S) The system time was changed. (Windows 10)
|
||||
description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4616(S): The system time was changed.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4618(S) A monitored security event pattern has occurred. (Windows 10)
|
||||
description: Describes security event 4618(S) A monitored security event pattern has occurred.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4618(S): A monitored security event pattern has occurred.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10)
|
||||
description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4621(S): Administrator recovered system from CrashOnAuditFail.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10)
|
||||
description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4622(S): A security package has been loaded by the Local Security Authority.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4624(S) An account was successfully logged on. (Windows 10)
|
||||
description: Describes security event 4624(S) An account was successfully logged on.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4624(S): An account was successfully logged on.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4625(F) An account failed to log on. (Windows 10)
|
||||
description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4625(F): An account failed to log on.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4626(S) User/Device claims information. (Windows 10)
|
||||
description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4626(S): User/Device claims information.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4627(S) Group membership information. (Windows 10)
|
||||
description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4627(S): Group membership information.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4634(S) An account was logged off. (Windows 10)
|
||||
description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 11/20/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4634(S): An account was logged off.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4647(S) User initiated logoff. (Windows 10)
|
||||
description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4647(S): User initiated logoff.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4648(S) A logon was attempted using explicit credentials. (Windows 10)
|
||||
description: Describes security event 4648(S) A logon was attempted using explicit credentials.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4648(S): A logon was attempted using explicit credentials.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: 4649(S) A replay attack was detected. (Windows 10)
|
||||
description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
@ -11,6 +11,7 @@ ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: dansimp
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# 4649(S): A replay attack was detected.
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user