From 51c4c48cee9aa74697e6e4ee0837a2bda6696a11 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 17:10:01 +0530 Subject: [PATCH 01/38] Updated for 5358843-files-26to50 --- .../auditing/audit-filtering-platform-packet-drop.md | 6 +----- .../auditing/audit-filtering-platform-policy-change.md | 5 +---- .../threat-protection/auditing/audit-group-membership.md | 5 +---- .../auditing/audit-handle-manipulation.md | 5 +---- .../threat-protection/auditing/audit-ipsec-driver.md | 5 +---- .../auditing/audit-ipsec-extended-mode.md | 6 +----- .../threat-protection/auditing/audit-ipsec-main-mode.md | 5 +---- .../threat-protection/auditing/audit-ipsec-quick-mode.md | 5 +---- .../auditing/audit-kerberos-authentication-service.md | 6 +----- .../auditing/audit-kerberos-service-ticket-operations.md | 6 +----- .../threat-protection/auditing/audit-kernel-object.md | 6 +----- .../security/threat-protection/auditing/audit-logoff.md | 6 +----- .../security/threat-protection/auditing/audit-logon.md | 6 +----- .../auditing/audit-mpssvc-rule-level-policy-change.md | 6 +----- .../auditing/audit-network-policy-server.md | 5 +---- .../auditing/audit-non-sensitive-privilege-use.md | 6 +----- .../auditing/audit-other-account-logon-events.md | 6 +----- .../auditing/audit-other-account-management-events.md | 6 +----- .../auditing/audit-other-logonlogoff-events.md | 6 +----- .../auditing/audit-other-object-access-events.md | 6 +----- .../auditing/audit-other-policy-change-events.md | 6 +----- .../auditing/audit-other-privilege-use-events.md | 5 +---- .../auditing/audit-other-system-events.md | 8 ++------ .../threat-protection/auditing/audit-pnp-activity.md | 6 +----- .../threat-protection/auditing/audit-process-creation.md | 6 +----- 25 files changed, 26 insertions(+), 118 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index d6131681ec..dae76cc66f 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Filtering Platform Packet Drop -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index b3a9837cd5..8a77aee208 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Filtering Platform Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following: diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index 37a86a6424..904bc669cb 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Group Membership -**Applies to** -- Windows 10 -- Windows Server 2016 By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer. diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md index e82188ac78..1003455f12 100644 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Handle Manipulation -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index 606acf77a3..108d9f2155 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 10/02/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit IPsec Driver -**Applies to** -- Windows 10 -- Windows Server 2016 Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following: diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 179c4e5e22..502f29b57d 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 10/02/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit IPsec Extended Mode -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index 092717cc70..c3f71a182d 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 10/02/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit IPsec Main Mode -**Applies to** -- Windows 10 -- Windows Server 2016 Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index fefab72132..0424935c98 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 10/02/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit IPsec Quick Mode -**Applies to** -- Windows 10 -- Windows Server 2016 Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md index 14495b2794..ac184cba5f 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Kerberos Authentication Service -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index 3bbaa165ef..788a0eccd6 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Kerberos Service Ticket Operations -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests. diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md index f93ad96e33..f0329f57a4 100644 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ b/windows/security/threat-protection/auditing/audit-kernel-object.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Kernel Object -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index a07a10fd9a..eadeed6ed8 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 07/16/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Logoff -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated. diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md index e87dd6ad1d..b6b71c23f6 100644 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ b/windows/security/threat-protection/auditing/audit-logon.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Logon -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer. diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md index 5107277a3d..ff61afa77f 100644 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit MPSSVC Rule-Level Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md index d6ac9d53e5..016e6d53d7 100644 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Network Policy Server -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index 8cf59016dd..7ef4be2fc3 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Non-Sensitive Privilege Use -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 39fa1e83de..fc85d54a1a 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Account Logon Events -**Applies to** -- Windows 10 -- Windows Server 2016 - **General Subcategory Information:** diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index bb5d7120a3..bab6689283 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Account Management Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Other Account Management Events determines whether the operating system generates user account management audit events. diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md index c123e22ef8..032d65589e 100644 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Logon/Logoff Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md index a485aa2d07..1a82bd54e1 100644 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 05/29/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Object Access Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests. diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md index 5f55e34285..61ed449132 100644 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Policy Change Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 7e8dea77c3..ed0e6fde50 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Privilege Use Events -**Applies to** -- Windows 10 -- Windows Server 2016 This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985). diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md index 7554066d42..8762fb22fc 100644 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ b/windows/security/threat-protection/auditing/audit-other-system-events.md @@ -11,17 +11,13 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other System Events -**Applies to** -- Windows 10 -- Windows Server 2016 - - + Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures. Audit Other System Events determines whether the operating system audits various system events. diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md index 16b696e3a2..23779f6a95 100644 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit PNP Activity -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit PNP Activity determines when Plug and Play detects an external device. diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 456c7082b1..1e0c857ede 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Process Creation -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Process Creation determines whether the operating system generates audit events when a process is created (starts). From 5d77e99308e196b7a564ab46beb29238c3178600 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 17:37:22 +0530 Subject: [PATCH 02/38] Updated --- .../auditing/audit-other-account-logon-events.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index fc85d54a1a..4550778fca 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -24,7 +24,7 @@ This auditing subcategory does not contain any events. It is intended for future | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | -| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | -| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | +| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, and there is no reason to enable it. | +| Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, and there is no reason to enable it. | +| Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, and there is no reason to enable it. | From 214338b66a8914f4918f9d97c23e3f7b7748aea0 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 18:10:30 +0530 Subject: [PATCH 03/38] Updated --- .../auditing/audit-other-account-logon-events.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 4550778fca..00d03953b8 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -1,6 +1,6 @@ --- title: Audit Other Account Logon Events (Windows 10) -description: The policy setting, Audit Other Account Logon Events, allows you to audit events generated by responses to credential requests for certain kinds of user logons. +description: The policy setting, Audit Other Account Logon Events allows you to audit events generated by responses to credential requests for certain kinds of user logons. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 ms.reviewer: manager: dansimp @@ -17,14 +17,13 @@ ms.technology: mde # Audit Other Account Logon Events - **General Subcategory Information:** This auditing subcategory does not contain any events. It is intended for future use. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, and there is no reason to enable it. | -| Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, and there is no reason to enable it. | -| Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, and there is no reason to enable it. | +| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | +| Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | +| Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | From d0251d2483a8edb27af50218aa44375f62fa2320 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 18:26:23 +0530 Subject: [PATCH 04/38] Updated --- .../auditing/audit-other-account-logon-events.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 00d03953b8..774bedd202 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -1,6 +1,6 @@ --- title: Audit Other Account Logon Events (Windows 10) -description: The policy setting, Audit Other Account Logon Events allows you to audit events generated by responses to credential requests for certain kinds of user logons. +description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 ms.reviewer: manager: dansimp From 18b54cffab1ac808eac4e71b905ce7091b3593fe Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 19:48:42 +0530 Subject: [PATCH 05/38] Updated for Ashok-Lobo-5358843. files-51to75 --- .../auditing/audit-process-termination.md | 6 +----- .../threat-protection/auditing/audit-registry.md | 6 +----- .../auditing/audit-removable-storage.md | 6 +----- .../threat-protection/auditing/audit-rpc-events.md | 6 +----- .../security/threat-protection/auditing/audit-sam.md | 6 +----- .../auditing/audit-security-group-management.md | 5 +---- .../auditing/audit-security-state-change.md | 6 +----- .../auditing/audit-security-system-extension.md | 12 ++++-------- .../auditing/audit-sensitive-privilege-use.md | 6 +----- .../auditing/audit-special-logon.md | 6 +----- .../auditing/audit-system-integrity.md | 6 +----- .../auditing/audit-token-right-adjusted.md | 4 ---- .../auditing/audit-user-account-management.md | 6 +----- .../auditing/audit-user-device-claims.md | 6 +----- .../auditing/basic-audit-account-logon-events.md | 4 +--- .../auditing/basic-audit-account-management.md | 4 +--- .../auditing/basic-audit-directory-service-access.md | 4 +--- .../auditing/basic-audit-logon-events.md | 4 +--- .../auditing/basic-audit-object-access.md | 4 +--- .../auditing/basic-audit-policy-change.md | 4 +--- .../auditing/basic-audit-privilege-use.md | 4 +--- .../auditing/basic-audit-process-tracking.md | 4 +--- .../auditing/basic-audit-system-events.md | 4 +--- .../auditing/basic-security-audit-policies.md | 4 +--- .../auditing/basic-security-audit-policy-settings.md | 4 +--- 25 files changed, 27 insertions(+), 104 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md index 97b0a91741..7206647a67 100644 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ b/windows/security/threat-protection/auditing/audit-process-termination.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Process Termination -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Process Termination determines whether the operating system generates audit events when process has exited. diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 70a672e969..b942488455 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Registry -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index b0ec0466fe..9a0d27b1c2 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Removable Storage -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](/windows/win32/secauthz/access-control-lists). diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md index 59202d82fa..6be5c9a222 100644 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ b/windows/security/threat-protection/auditing/audit-rpc-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit RPC Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index 022b451082..020c87b6c0 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit SAM -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects. diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index c80fe834a9..045ce6d2cd 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 02/28/2019 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Security Group Management -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed. diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md index 19614087bb..81d52226a4 100644 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ b/windows/security/threat-protection/auditing/audit-security-state-change.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Security State Change -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time. diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md index b787507ef4..06a62bc211 100644 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Security System Extension -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events. @@ -36,9 +32,9 @@ Attempts to install or load security system extensions or services are critical | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md index fe6ad3206b..d2929dbc8b 100644 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Sensitive Privilege Use -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges: diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md index c852e45990..a2c7e6fe4c 100644 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ b/windows/security/threat-protection/auditing/audit-special-logon.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Special Logon -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances. diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md index f9be77c1eb..d88432587a 100644 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ b/windows/security/threat-protection/auditing/audit-system-integrity.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit System Integrity -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem. diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md index c53c887d1f..51362e65a8 100644 --- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md +++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md @@ -11,10 +11,6 @@ ms.technology: mde # Audit Token Right Adjusted -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token. diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md index 145e04e477..97b551d31a 100644 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ b/windows/security/threat-protection/auditing/audit-user-account-management.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit User Account Management -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed. diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md index 6051e50d2f..f5b3b71fa8 100644 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit User/Device Claims -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md index 7e9d098f5d..9e83b22f8e 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit account logon events -**Applies to** -- Windows 10 Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account. diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 5541fc0f63..e438366e30 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit account management -**Applies to** -- Windows 10 Determines whether to audit each event of account management on a device. diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md index e52e2e7382..fb18731a64 100644 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit directory service access -**Applies to** -- Windows 10 Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index c730790cfa..569a8335dd 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit logon events -**Applies to** -- Windows 10 Determines whether to audit each instance of a user logging on to or logging off from a device. diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md index 7bb1357af3..3cc432b64b 100644 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit object access -**Applies to** -- Windows 10 Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified. diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md index a04167e8c2..3e7cc6a8ea 100644 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit policy change -**Applies to** -- Windows 10 Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md index 4b6a28a415..ff6e5dff98 100644 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit privilege use -**Applies to** -- Windows 10 Determines whether to audit each instance of a user exercising a user right. diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index c2e1ff94ca..a7f08b9c20 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit process tracking -**Applies to** -- Windows 10 Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md index 8c5e33028e..4201c2447f 100644 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit system events -**Applies to** -- Windows 10 Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index fd291c792a..012b98550f 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Basic security audit policies -**Applies to** -- Windows 10 Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index 0ddb0a6152..0b56e07522 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Basic security audit policy settings -**Applies to** -- Windows 10 Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. From a012698fe7d5d6f5a0766eecdffaca4521dd71c9 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Tue, 7 Sep 2021 11:56:23 +0530 Subject: [PATCH 06/38] Updated for 5358843-files76to100 --- ...a-basic-audit-policy-settings-for-an-event-category.md | 4 +--- windows/security/threat-protection/auditing/event-1100.md | 6 +----- windows/security/threat-protection/auditing/event-1102.md | 6 +----- windows/security/threat-protection/auditing/event-1104.md | 6 +----- windows/security/threat-protection/auditing/event-1105.md | 6 +----- windows/security/threat-protection/auditing/event-1108.md | 6 +----- windows/security/threat-protection/auditing/event-4608.md | 6 +----- windows/security/threat-protection/auditing/event-4610.md | 6 +----- windows/security/threat-protection/auditing/event-4611.md | 6 +----- windows/security/threat-protection/auditing/event-4612.md | 6 +----- windows/security/threat-protection/auditing/event-4614.md | 6 +----- windows/security/threat-protection/auditing/event-4615.md | 6 +----- windows/security/threat-protection/auditing/event-4616.md | 6 +----- windows/security/threat-protection/auditing/event-4618.md | 6 +----- windows/security/threat-protection/auditing/event-4621.md | 5 +---- windows/security/threat-protection/auditing/event-4622.md | 8 ++------ windows/security/threat-protection/auditing/event-4624.md | 6 +----- windows/security/threat-protection/auditing/event-4625.md | 6 +----- windows/security/threat-protection/auditing/event-4626.md | 6 +----- windows/security/threat-protection/auditing/event-4627.md | 6 +----- windows/security/threat-protection/auditing/event-4634.md | 6 +----- windows/security/threat-protection/auditing/event-4647.md | 6 +----- windows/security/threat-protection/auditing/event-4648.md | 6 +----- windows/security/threat-protection/auditing/event-4649.md | 6 +----- windows/security/threat-protection/auditing/event-4656.md | 6 +----- 25 files changed, 26 insertions(+), 123 deletions(-) diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md index 526946d4b5..054ff9b595 100644 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- # Create a basic audit policy for an event category -**Applies to** -- Windows 10 By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md index f3fbd46308..c8ac91b393 100644 --- a/windows/security/threat-protection/auditing/event-1100.md +++ b/windows/security/threat-protection/auditing/event-1100.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1100(S): The event logging service has shut down. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1100 illustration diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index fecf1badde..02ac9384e5 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1102(S): The audit log was cleared. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1102 illustration diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index 8d6a8dfd16..0c5e2917af 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1104(S): The security log is now full. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1104 illustration diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index ca327249e4..1aeaa58c8e 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1105(S): Event log automatic backup -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1105 illustration diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 440e411f38..1a7f0cbd1e 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1108(S): The event logging service encountered an error while processing an incoming event published from %1. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1108 illustration diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 6372e6acc2..255036037d 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4608(S): Windows is starting up. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4608 illustration diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md index aba324fd61..2249612819 100644 --- a/windows/security/threat-protection/auditing/event-4610.md +++ b/windows/security/threat-protection/auditing/event-4610.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4610(S): An authentication package has been loaded by the Local Security Authority. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4610 illustration diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md index 50583e6f70..b4ce0a9d8d 100644 --- a/windows/security/threat-protection/auditing/event-4611.md +++ b/windows/security/threat-protection/auditing/event-4611.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4611(S): A trusted logon process has been registered with the Local Security Authority. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4611 illustration diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index c4561550d5..aa8b9ecc61 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk. diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md index ca4c161420..959ef959e9 100644 --- a/windows/security/threat-protection/auditing/event-4614.md +++ b/windows/security/threat-protection/auditing/event-4614.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4614(S): A notification package has been loaded by the Security Account Manager. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4614 illustration diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 6c8f9cd7ac..82dbd7d648 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4615(S): Invalid use of LPC port. -**Applies to** -- Windows 10 -- Windows Server 2016 - It appears that this event never occurs. diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 690bde945f..2fc4b43b2c 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4616(S): The system time was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4616 illustration diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md index c1bc41f942..baa0727774 100644 --- a/windows/security/threat-protection/auditing/event-4618.md +++ b/windows/security/threat-protection/auditing/event-4618.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4618(S): A monitored security event pattern has occurred. -**Applies to** -- Windows 10 -- Windows Server 2016 - ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md index 9ffb0fee15..d3475dbb08 100644 --- a/windows/security/threat-protection/auditing/event-4621.md +++ b/windows/security/threat-protection/auditing/event-4621.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,9 +16,6 @@ ms.technology: mde # 4621(S): Administrator recovered system from CrashOnAuditFail. -**Applies to** -- Windows 10 -- Windows Server 2016 This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2. diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md index 46f54afcca..5404c4491b 100644 --- a/windows/security/threat-protection/auditing/event-4622.md +++ b/windows/security/threat-protection/auditing/event-4622.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4622(S): A security package has been loaded by the Local Security Authority. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4622 illustration @@ -101,4 +97,4 @@ These are some Security Package DLLs loaded by default in Windows 10: For 4622(S): A security package has been loaded by the Local Security Authority. -- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not. \ No newline at end of file +- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index a61449dada..6a36fda6d7 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4624(S): An account was successfully logged on. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4624 illustration diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index d613787ba3..ec92960ecc 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4625(F): An account failed to log on. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4625 illustration diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index 667de4c561..1aba2f1f3b 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4626(S): User/Device claims information. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4626 illustration diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index 4a4fce1919..8ad79efcb2 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4627(S): Group membership information. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4627 illustration diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md index b0541e2dbb..16bf3e049d 100644 --- a/windows/security/threat-protection/auditing/event-4634.md +++ b/windows/security/threat-protection/auditing/event-4634.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 11/20/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4634(S): An account was logged off. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4634 illustration diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md index 14dc2a7083..01428dba45 100644 --- a/windows/security/threat-protection/auditing/event-4647.md +++ b/windows/security/threat-protection/auditing/event-4647.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4647(S): User initiated logoff. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4647 illustration diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 44eb565de4..8d81d41573 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4648(S): A logon was attempted using explicit credentials. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4648 illustration diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md index 06ae9ca1aa..75f1bf3c96 100644 --- a/windows/security/threat-protection/auditing/event-4649.md +++ b/windows/security/threat-protection/auditing/event-4649.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4649(S): A replay attack was detected. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client. diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md index 7332ad06b8..7aee847e93 100644 --- a/windows/security/threat-protection/auditing/event-4656.md +++ b/windows/security/threat-protection/auditing/event-4656.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4656(S, F): A handle to an object was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4656 illustration From 95b3b9efd2916c8c4e087a7ce5d123d5c58ffafe Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Tue, 7 Sep 2021 12:55:23 +0530 Subject: [PATCH 07/38] Updated for 5358843-files101to125 --- windows/security/threat-protection/auditing/event-4657.md | 6 +----- windows/security/threat-protection/auditing/event-4658.md | 6 +----- windows/security/threat-protection/auditing/event-4660.md | 6 +----- windows/security/threat-protection/auditing/event-4661.md | 6 +----- windows/security/threat-protection/auditing/event-4662.md | 6 +----- windows/security/threat-protection/auditing/event-4663.md | 6 +----- windows/security/threat-protection/auditing/event-4664.md | 6 +----- windows/security/threat-protection/auditing/event-4670.md | 6 +----- windows/security/threat-protection/auditing/event-4671.md | 8 ++------ windows/security/threat-protection/auditing/event-4672.md | 6 +----- windows/security/threat-protection/auditing/event-4673.md | 6 +----- windows/security/threat-protection/auditing/event-4674.md | 6 +----- windows/security/threat-protection/auditing/event-4675.md | 6 +----- windows/security/threat-protection/auditing/event-4688.md | 6 +----- windows/security/threat-protection/auditing/event-4689.md | 6 +----- windows/security/threat-protection/auditing/event-4690.md | 6 +----- windows/security/threat-protection/auditing/event-4691.md | 6 +----- windows/security/threat-protection/auditing/event-4692.md | 6 +----- windows/security/threat-protection/auditing/event-4693.md | 6 +----- windows/security/threat-protection/auditing/event-4694.md | 6 +----- windows/security/threat-protection/auditing/event-4695.md | 6 +----- windows/security/threat-protection/auditing/event-4696.md | 6 +----- windows/security/threat-protection/auditing/event-4697.md | 6 +----- windows/security/threat-protection/auditing/event-4698.md | 6 +----- windows/security/threat-protection/auditing/event-4699.md | 6 +----- 25 files changed, 26 insertions(+), 126 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md index e0d0985203..39cb4e6052 100644 --- a/windows/security/threat-protection/auditing/event-4657.md +++ b/windows/security/threat-protection/auditing/event-4657.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4657(S): A registry value was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4657 illustration diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md index 85b56fb6d0..0acb8a0b2f 100644 --- a/windows/security/threat-protection/auditing/event-4658.md +++ b/windows/security/threat-protection/auditing/event-4658.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4658(S): The handle to an object was closed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4658 illustration diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md index 7a921090fd..871435d568 100644 --- a/windows/security/threat-protection/auditing/event-4660.md +++ b/windows/security/threat-protection/auditing/event-4660.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4660(S): An object was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4660 illustration diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index 27afd56d00..77da9a1780 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4661(S, F): A handle to an object was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4661 illustration diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md index b9d488c090..7950f49912 100644 --- a/windows/security/threat-protection/auditing/event-4662.md +++ b/windows/security/threat-protection/auditing/event-4662.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4662(S, F): An operation was performed on an object. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4662 illustration diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md index efa297ac08..d85a14bddf 100644 --- a/windows/security/threat-protection/auditing/event-4663.md +++ b/windows/security/threat-protection/auditing/event-4663.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4663(S): An attempt was made to access an object. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4663 illustration diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md index 9c99e5f2bc..36c3d8aa08 100644 --- a/windows/security/threat-protection/auditing/event-4664.md +++ b/windows/security/threat-protection/auditing/event-4664.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4664(S): An attempt was made to create a hard link. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4664 illustration diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index ea7d4dcf1e..0f070cd8f8 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4670(S): Permissions on an object were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4670 illustration diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md index fb46f1fb5a..cc53508b8f 100644 --- a/windows/security/threat-protection/auditing/event-4671.md +++ b/windows/security/threat-protection/auditing/event-4671.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,11 +16,7 @@ ms.technology: mde # 4671(-): An application attempted to access a blocked ordinal through the TBS. -**Applies to** -- Windows 10 -- Windows Server 2016 - - +* Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. ***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md) diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 479e31207b..3e563025ba 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 12/20/2018 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4672(S): Special privileges assigned to new logon. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4672 illustration
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index cf5ef8d500..82e7ac1332 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4673(S, F): A privileged service was called. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4673 illustration diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index 734ce174c2..7a4b1a3654 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4674(S, F): An operation was attempted on a privileged object. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4674 illustration diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md index 0af7742f2c..f2a5d0c97e 100644 --- a/windows/security/threat-protection/auditing/event-4675.md +++ b/windows/security/threat-protection/auditing/event-4675.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4675(S): SIDs were filtered. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when SIDs were filtered for specific Active Directory trust. diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index fbb93d7b9b..12b9206a7f 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4688(S): A new process has been created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4688 illustration diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md index 99bee451d9..49ec3f5924 100644 --- a/windows/security/threat-protection/auditing/event-4689.md +++ b/windows/security/threat-protection/auditing/event-4689.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4689(S): A process has exited. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4689 illustration diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md index d7a23d1da4..14d2dcb02d 100644 --- a/windows/security/threat-protection/auditing/event-4690.md +++ b/windows/security/threat-protection/auditing/event-4690.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4690(S): An attempt was made to duplicate a handle to an object. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4690 illustration diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index c7ea74bdd7..30a869d7fc 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4691(S): Indirect access to an object was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4691 illustration diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md index 064c922cb4..7e1e0b5ab9 100644 --- a/windows/security/threat-protection/auditing/event-4692.md +++ b/windows/security/threat-protection/auditing/event-4692.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4692(S, F): Backup of data protection master key was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4692 illustration diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md index 1359ef1968..1bf4eef838 100644 --- a/windows/security/threat-protection/auditing/event-4693.md +++ b/windows/security/threat-protection/auditing/event-4693.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4693(S, F): Recovery of data protection master key was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4693 illustration diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md index 0b35bda1ba..c6e3ca0a8c 100644 --- a/windows/security/threat-protection/auditing/event-4694.md +++ b/windows/security/threat-protection/auditing/event-4694.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4694(S, F): Protection of auditable protected data was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10))  [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md index 9acd287be1..55d37910f6 100644 --- a/windows/security/threat-protection/auditing/event-4695.md +++ b/windows/security/threat-protection/auditing/event-4695.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4695(S, F): Unprotection of auditable protected data was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index f156dc723b..c426f2bd9e 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4696(S): A primary token was assigned to process. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4696 illustration diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index 870352146b..4c6103a175 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4697(S): A service was installed in the system. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4697 illustration diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md index 9ca662fa59..e3f0385c69 100644 --- a/windows/security/threat-protection/auditing/event-4698.md +++ b/windows/security/threat-protection/auditing/event-4698.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4698(S): A scheduled task was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4698 illustration diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md index dd814dd942..b48820c643 100644 --- a/windows/security/threat-protection/auditing/event-4699.md +++ b/windows/security/threat-protection/auditing/event-4699.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4699(S): A scheduled task was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4699 illustration From 32e0eca6386a01c736c791da4025534cab578c37 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Tue, 7 Sep 2021 15:01:54 +0530 Subject: [PATCH 08/38] Updated for 5358843-files126to150 --- windows/security/threat-protection/auditing/event-4700.md | 6 +----- windows/security/threat-protection/auditing/event-4701.md | 6 +----- windows/security/threat-protection/auditing/event-4702.md | 6 +----- windows/security/threat-protection/auditing/event-4703.md | 6 +----- windows/security/threat-protection/auditing/event-4704.md | 6 +----- windows/security/threat-protection/auditing/event-4705.md | 6 +----- windows/security/threat-protection/auditing/event-4706.md | 6 +----- windows/security/threat-protection/auditing/event-4707.md | 6 +----- windows/security/threat-protection/auditing/event-4713.md | 6 +----- windows/security/threat-protection/auditing/event-4714.md | 6 +----- windows/security/threat-protection/auditing/event-4715.md | 6 +----- windows/security/threat-protection/auditing/event-4716.md | 6 +----- windows/security/threat-protection/auditing/event-4717.md | 6 +----- windows/security/threat-protection/auditing/event-4718.md | 6 +----- windows/security/threat-protection/auditing/event-4719.md | 6 +----- windows/security/threat-protection/auditing/event-4720.md | 6 +----- windows/security/threat-protection/auditing/event-4722.md | 6 +----- windows/security/threat-protection/auditing/event-4723.md | 6 +----- windows/security/threat-protection/auditing/event-4724.md | 6 +----- windows/security/threat-protection/auditing/event-4725.md | 6 +----- windows/security/threat-protection/auditing/event-4726.md | 6 +----- windows/security/threat-protection/auditing/event-4731.md | 6 +----- windows/security/threat-protection/auditing/event-4732.md | 6 +----- windows/security/threat-protection/auditing/event-4733.md | 6 +----- windows/security/threat-protection/auditing/event-4734.md | 6 +----- 25 files changed, 25 insertions(+), 125 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md index e72f7d19f0..6c44dbfa8d 100644 --- a/windows/security/threat-protection/auditing/event-4700.md +++ b/windows/security/threat-protection/auditing/event-4700.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4700(S): A scheduled task was enabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4700 illustration diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md index e407e2bbbb..0fa78f8923 100644 --- a/windows/security/threat-protection/auditing/event-4701.md +++ b/windows/security/threat-protection/auditing/event-4701.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4701(S): A scheduled task was disabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4701 illustration diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md index 15d128ceef..2ae3e2b5e3 100644 --- a/windows/security/threat-protection/auditing/event-4702.md +++ b/windows/security/threat-protection/auditing/event-4702.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4702(S): A scheduled task was updated. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4702 illustration diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index e8b7ecded9..a2d0ea1520 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4703(S): A user right was adjusted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4703 illustration diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index cb6b95669b..04357bb664 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4704(S): A user right was assigned. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4704 illustration diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 5588e33560..0da39782ac 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4705(S): A user right was removed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4705 illustration diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md index e0abbded89..5bceee43f2 100644 --- a/windows/security/threat-protection/auditing/event-4706.md +++ b/windows/security/threat-protection/auditing/event-4706.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4706(S): A new trust was created to a domain. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4706 illustration diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md index f16f66bdcd..66c5a3a235 100644 --- a/windows/security/threat-protection/auditing/event-4707.md +++ b/windows/security/threat-protection/auditing/event-4707.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4707(S): A trust to a domain was removed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4707 illustration diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md index 032446b19b..1fc0eda8ae 100644 --- a/windows/security/threat-protection/auditing/event-4713.md +++ b/windows/security/threat-protection/auditing/event-4713.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4713(S): Kerberos policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4713 illustration diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md index d7c176a754..c95647f342 100644 --- a/windows/security/threat-protection/auditing/event-4714.md +++ b/windows/security/threat-protection/auditing/event-4714.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4714(S): Encrypted data recovery policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4714 illustration diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index d4e9d14839..54836c643a 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4715(S): The audit policy (SACL) on an object was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4715 illustration diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index 1cd47c82c4..3b035321b0 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/04/2019 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4716(S): Trusted domain information was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4716 illustration diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index bd3378f122..0d79674053 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4717(S): System security access was granted to an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4717 illustration diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index 4c8c676ce4..22f9f3a64a 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4718(S): System security access was removed from an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4718 illustration diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md index 98469b6945..dc67d391cf 100644 --- a/windows/security/threat-protection/auditing/event-4719.md +++ b/windows/security/threat-protection/auditing/event-4719.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4719(S): System audit policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4719 illustration diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index 1569aebb53..1500cd23c9 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4720(S): A user account was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4720 illustration diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md index e156a9bedf..6b10efb7c8 100644 --- a/windows/security/threat-protection/auditing/event-4722.md +++ b/windows/security/threat-protection/auditing/event-4722.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4722(S): A user account was enabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4722 illustration diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md index 8a2eb1aa9b..2208f2ae0e 100644 --- a/windows/security/threat-protection/auditing/event-4723.md +++ b/windows/security/threat-protection/auditing/event-4723.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4723(S, F): An attempt was made to change an account's password. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4723 illustration diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md index f360a13828..104704dc32 100644 --- a/windows/security/threat-protection/auditing/event-4724.md +++ b/windows/security/threat-protection/auditing/event-4724.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4724(S, F): An attempt was made to reset an account's password. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4724 illustration diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md index 5be795b261..0b6ed0593a 100644 --- a/windows/security/threat-protection/auditing/event-4725.md +++ b/windows/security/threat-protection/auditing/event-4725.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4725(S): A user account was disabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4725 illustration diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md index f8f7ffba8c..03f7cab6c8 100644 --- a/windows/security/threat-protection/auditing/event-4726.md +++ b/windows/security/threat-protection/auditing/event-4726.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4726(S): A user account was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4726 illustration diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md index 78d8e0e0c8..ecbe498b31 100644 --- a/windows/security/threat-protection/auditing/event-4731.md +++ b/windows/security/threat-protection/auditing/event-4731.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4731(S): A security-enabled local group was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4731 illustration diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index 2619367fa3..b837e2da3a 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4732(S): A member was added to a security-enabled local group. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4732 illustration diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index 219ebdc036..1ff01f46dd 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4733(S): A member was removed from a security-enabled local group. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4733 illustration diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md index df33b3726f..7fc762a800 100644 --- a/windows/security/threat-protection/auditing/event-4734.md +++ b/windows/security/threat-protection/auditing/event-4734.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4734(S): A security-enabled local group was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4734 illustration From 250259127afc84bbb08c8b1e2aeed5febf0c0c37 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Tue, 7 Sep 2021 17:32:20 +0530 Subject: [PATCH 09/38] Updated for 5358843-files151to175 --- windows/security/threat-protection/auditing/event-4735.md | 6 +----- windows/security/threat-protection/auditing/event-4738.md | 6 +----- windows/security/threat-protection/auditing/event-4739.md | 6 +----- windows/security/threat-protection/auditing/event-4740.md | 6 +----- windows/security/threat-protection/auditing/event-4741.md | 6 +----- windows/security/threat-protection/auditing/event-4742.md | 6 +----- windows/security/threat-protection/auditing/event-4743.md | 6 +----- windows/security/threat-protection/auditing/event-4749.md | 6 +----- windows/security/threat-protection/auditing/event-4750.md | 6 +----- windows/security/threat-protection/auditing/event-4751.md | 6 +----- windows/security/threat-protection/auditing/event-4752.md | 6 +----- windows/security/threat-protection/auditing/event-4753.md | 6 +----- windows/security/threat-protection/auditing/event-4764.md | 5 +---- windows/security/threat-protection/auditing/event-4765.md | 6 +----- windows/security/threat-protection/auditing/event-4766.md | 6 +----- windows/security/threat-protection/auditing/event-4767.md | 6 +----- windows/security/threat-protection/auditing/event-4768.md | 6 +----- windows/security/threat-protection/auditing/event-4769.md | 6 +----- windows/security/threat-protection/auditing/event-4770.md | 6 +----- windows/security/threat-protection/auditing/event-4771.md | 6 +----- windows/security/threat-protection/auditing/event-4772.md | 6 +----- windows/security/threat-protection/auditing/event-4773.md | 6 +----- windows/security/threat-protection/auditing/event-4774.md | 5 +---- windows/security/threat-protection/auditing/event-4775.md | 6 +----- windows/security/threat-protection/auditing/event-4776.md | 6 +----- 25 files changed, 25 insertions(+), 123 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md index 14d1e6df28..ebd05f8b62 100644 --- a/windows/security/threat-protection/auditing/event-4735.md +++ b/windows/security/threat-protection/auditing/event-4735.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4735(S): A security-enabled local group was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4735 illustration diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index f62d7e4ba8..1beea8a564 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4738(S): A user account was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4738 illustration diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md index e3268f4c69..d8417cef87 100644 --- a/windows/security/threat-protection/auditing/event-4739.md +++ b/windows/security/threat-protection/auditing/event-4739.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4739(S): Domain Policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4739 illustration diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md index db7139e935..095b90641e 100644 --- a/windows/security/threat-protection/auditing/event-4740.md +++ b/windows/security/threat-protection/auditing/event-4740.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4740(S): A user account was locked out. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4740 illustration diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index 6c83f23d1e..c09ba86137 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4741(S): A computer account was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4741 illustration diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 5d0cda5110..b838e77a00 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4742(S): A computer account was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4742 illustration diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md index 3402a5e1d7..064855d936 100644 --- a/windows/security/threat-protection/auditing/event-4743.md +++ b/windows/security/threat-protection/auditing/event-4743.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4743(S): A computer account was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4743 illustration diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md index 478ae9e021..e1990c4f1e 100644 --- a/windows/security/threat-protection/auditing/event-4749.md +++ b/windows/security/threat-protection/auditing/event-4749.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4749(S): A security-disabled global group was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4749 illustration diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md index 1a8a03f92a..9ebd361c00 100644 --- a/windows/security/threat-protection/auditing/event-4750.md +++ b/windows/security/threat-protection/auditing/event-4750.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4750(S): A security-disabled global group was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4750 illustration diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index cc06f2ae5d..c187c0da6a 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4751(S): A member was added to a security-disabled global group. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4751 illustration diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index ef79c01bca..642eb6b948 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4752(S): A member was removed from a security-disabled global group. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4752 illustration diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md index 45b9de0d33..cf4ada677c 100644 --- a/windows/security/threat-protection/auditing/event-4753.md +++ b/windows/security/threat-protection/auditing/event-4753.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4753(S): A security-disabled global group was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4753 illustration diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md index 3b50ba9bf1..073049f2bf 100644 --- a/windows/security/threat-protection/auditing/event-4764.md +++ b/windows/security/threat-protection/auditing/event-4764.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,9 +16,6 @@ ms.technology: mde # 4764(S): A group’s type was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 Event 4764 illustration diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md index ff685d9081..472f9a92d0 100644 --- a/windows/security/threat-protection/auditing/event-4765.md +++ b/windows/security/threat-protection/auditing/event-4765.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4765(S): SID History was added to an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when [SID History](/windows/win32/adschema/a-sidhistory) was added to an account. diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md index 7593423b22..bf5820689e 100644 --- a/windows/security/threat-protection/auditing/event-4766.md +++ b/windows/security/threat-protection/auditing/event-4766.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4766(F): An attempt to add SID History to an account failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when an attempt to add [SID History](/windows/win32/adschema/a-sidhistory) to an account failed. diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md index cf7b13e4f0..4b580f7dc0 100644 --- a/windows/security/threat-protection/auditing/event-4767.md +++ b/windows/security/threat-protection/auditing/event-4767.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4767(S): A user account was unlocked. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4767 illustration diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 64156ecd85..9509c1486b 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4768(S, F): A Kerberos authentication ticket (TGT) was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - :::image type="content" alt-text="Event 4768 illustration." source="images/event-4768.png"::: diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 5c460724b8..1790274e2c 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4769(S, F): A Kerberos service ticket was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4769 illustration diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md index ac38dc82f9..6a1627d7df 100644 --- a/windows/security/threat-protection/auditing/event-4770.md +++ b/windows/security/threat-protection/auditing/event-4770.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4770(S): A Kerberos service ticket was renewed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4770 illustration diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index c5aea23ecb..9891a617a0 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 07/23/2020 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4771(F): Kerberos pre-authentication failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4771 illustration diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md index 2124b16bb1..c93994b2ed 100644 --- a/windows/security/threat-protection/auditing/event-4772.md +++ b/windows/security/threat-protection/auditing/event-4772.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4772(F): A Kerberos authentication ticket request failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead. diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md index ba672478d8..3d4e1fe09b 100644 --- a/windows/security/threat-protection/auditing/event-4773.md +++ b/windows/security/threat-protection/auditing/event-4773.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4773(F): A Kerberos service ticket request failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead. diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md index 08eb0fe72f..4c01962461 100644 --- a/windows/security/threat-protection/auditing/event-4774.md +++ b/windows/security/threat-protection/auditing/event-4774.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,9 +16,6 @@ ms.technology: mde # 4774(S, F): An account was mapped for logon. -**Applies to** -- Windows 10 -- Windows Server 2016 Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx). diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md index cf27ccdf2a..c9e4a319e8 100644 --- a/windows/security/threat-protection/auditing/event-4775.md +++ b/windows/security/threat-protection/auditing/event-4775.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4775(F): An account could not be mapped for logon. -**Applies to** -- Windows 10 -- Windows Server 2016 - It appears that this event never occurs. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 75dc6a4a69..7da08c0312 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4776(S, F): The computer attempted to validate the credentials for an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4776 illustration From c3fbd0d66deef9113652c390cfad359e6e46eec2 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Tue, 7 Sep 2021 18:02:06 +0530 Subject: [PATCH 10/38] Updated for 5358843-files176to200 --- windows/security/threat-protection/auditing/event-4777.md | 6 +----- windows/security/threat-protection/auditing/event-4778.md | 6 +----- windows/security/threat-protection/auditing/event-4779.md | 6 +----- windows/security/threat-protection/auditing/event-4780.md | 6 +----- windows/security/threat-protection/auditing/event-4781.md | 6 +----- windows/security/threat-protection/auditing/event-4782.md | 6 +----- windows/security/threat-protection/auditing/event-4793.md | 6 +----- windows/security/threat-protection/auditing/event-4794.md | 6 +----- windows/security/threat-protection/auditing/event-4798.md | 6 +----- windows/security/threat-protection/auditing/event-4799.md | 6 +----- windows/security/threat-protection/auditing/event-4800.md | 6 +----- windows/security/threat-protection/auditing/event-4801.md | 6 +----- windows/security/threat-protection/auditing/event-4802.md | 6 +----- windows/security/threat-protection/auditing/event-4803.md | 6 +----- windows/security/threat-protection/auditing/event-4816.md | 6 +----- windows/security/threat-protection/auditing/event-4817.md | 6 +----- windows/security/threat-protection/auditing/event-4818.md | 6 +----- windows/security/threat-protection/auditing/event-4819.md | 6 +----- windows/security/threat-protection/auditing/event-4826.md | 6 +----- windows/security/threat-protection/auditing/event-4864.md | 6 +----- windows/security/threat-protection/auditing/event-4865.md | 6 +----- windows/security/threat-protection/auditing/event-4866.md | 6 +----- windows/security/threat-protection/auditing/event-4867.md | 6 +----- windows/security/threat-protection/auditing/event-4902.md | 6 +----- windows/security/threat-protection/auditing/event-4904.md | 6 +----- 25 files changed, 25 insertions(+), 125 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md index 28a4b42d08..f5b01ce6aa 100644 --- a/windows/security/threat-protection/auditing/event-4777.md +++ b/windows/security/threat-protection/auditing/event-4777.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4777(F): The domain controller failed to validate the credentials for an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead. diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 8293e41487..f7278c0017 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4778(S): A session was reconnected to a Window Station. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4778 illustration diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 29836498cc..3f34f106e4 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4779(S): A session was disconnected from a Window Station. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4779 illustration diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md index 00faedae10..94b8733eab 100644 --- a/windows/security/threat-protection/auditing/event-4780.md +++ b/windows/security/threat-protection/auditing/event-4780.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4780(S): The ACL was set on accounts which are members of administrators groups. -**Applies to** -- Windows 10 -- Windows Server 2016 - Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated. diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md index 2adb3bcac5..0e7051d0c0 100644 --- a/windows/security/threat-protection/auditing/event-4781.md +++ b/windows/security/threat-protection/auditing/event-4781.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4781(S): The name of an account was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4781 illustration diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index e0ecc19336..0d7d285e29 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4782(S): The password hash of an account was accessed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4782 illustration diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index 4b75a802d5..d471201647 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4793(S): The Password Policy Checking API was called. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4793 illustration diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md index 6e585048c1..6901d09cbe 100644 --- a/windows/security/threat-protection/auditing/event-4794.md +++ b/windows/security/threat-protection/auditing/event-4794.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4794 illustration diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md index 3fddfd9b65..15a1328384 100644 --- a/windows/security/threat-protection/auditing/event-4798.md +++ b/windows/security/threat-protection/auditing/event-4798.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4798(S): A user's local group membership was enumerated. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4798 illustration diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md index 18b337fcdc..92441ae64b 100644 --- a/windows/security/threat-protection/auditing/event-4799.md +++ b/windows/security/threat-protection/auditing/event-4799.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4799(S): A security-enabled local group membership was enumerated. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4799 illustration diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md index 92c543f8b0..2e468c9d92 100644 --- a/windows/security/threat-protection/auditing/event-4800.md +++ b/windows/security/threat-protection/auditing/event-4800.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4800(S): The workstation was locked. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4800 illustration diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md index ed7c8ec85c..7da15cbbe7 100644 --- a/windows/security/threat-protection/auditing/event-4801.md +++ b/windows/security/threat-protection/auditing/event-4801.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4801(S): The workstation was unlocked. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4801 illustration diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md index 9f5fa2b8e3..7ea6add001 100644 --- a/windows/security/threat-protection/auditing/event-4802.md +++ b/windows/security/threat-protection/auditing/event-4802.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4802(S): The screen saver was invoked. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4802 illustration diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md index 20304e4527..4971789fd3 100644 --- a/windows/security/threat-protection/auditing/event-4803.md +++ b/windows/security/threat-protection/auditing/event-4803.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4803(S): The screen saver was dismissed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4803 illustration diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md index 9e36c52bb1..a2c127435d 100644 --- a/windows/security/threat-protection/auditing/event-4816.md +++ b/windows/security/threat-protection/auditing/event-4816.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4816(S): RPC detected an integrity violation while decrypting an incoming message. -**Applies to** -- Windows 10 -- Windows Server 2016 - This message generates if RPC detected an integrity violation while decrypting an incoming message. diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index 0b0fc16bf7..3744b68704 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4817(S): Auditing settings on object were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4817 illustration diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md index 05266e39e5..c71a145e05 100644 --- a/windows/security/threat-protection/auditing/event-4818.md +++ b/windows/security/threat-protection/auditing/event-4818.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4818 illustration diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md index 3751b39e45..f3acc685b2 100644 --- a/windows/security/threat-protection/auditing/event-4819.md +++ b/windows/security/threat-protection/auditing/event-4819.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4819(S): Central Access Policies on the machine have been changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4819 illustration diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index 2e78b4c653..27f8cbeb41 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4826(S): Boot Configuration Data loaded. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4826 illustration diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index ca1995291e..aec977eddd 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4864(S): A namespace collision was detected. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is generated when a namespace collision was detected. diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md index 063eb88afc..994d2407a3 100644 --- a/windows/security/threat-protection/auditing/event-4865.md +++ b/windows/security/threat-protection/auditing/event-4865.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4865(S): A trusted forest information entry was added. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4865 illustration diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md index 922d662887..ad75bb1d68 100644 --- a/windows/security/threat-protection/auditing/event-4866.md +++ b/windows/security/threat-protection/auditing/event-4866.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4866(S): A trusted forest information entry was removed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4866 illustration diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md index a8fdb4a693..e82918ba71 100644 --- a/windows/security/threat-protection/auditing/event-4867.md +++ b/windows/security/threat-protection/auditing/event-4867.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4867(S): A trusted forest information entry was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4867 illustration diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md index d5a7640b84..67d2817434 100644 --- a/windows/security/threat-protection/auditing/event-4902.md +++ b/windows/security/threat-protection/auditing/event-4902.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4902(S): The Per-user audit policy table was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4902 illustration diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md index 268606eab6..0a72ca6e45 100644 --- a/windows/security/threat-protection/auditing/event-4904.md +++ b/windows/security/threat-protection/auditing/event-4904.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4904(S): An attempt was made to register a security event source. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4904 illustration From 886fe03c61ebde904f41f554cdb74d008fce8295 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Wed, 8 Sep 2021 12:37:47 +0530 Subject: [PATCH 11/38] Updated for - 5358843-files201to225 --- windows/security/threat-protection/auditing/event-4905.md | 6 +----- windows/security/threat-protection/auditing/event-4906.md | 6 +----- windows/security/threat-protection/auditing/event-4907.md | 6 +----- windows/security/threat-protection/auditing/event-4908.md | 6 +----- windows/security/threat-protection/auditing/event-4909.md | 6 +----- windows/security/threat-protection/auditing/event-4910.md | 6 +----- windows/security/threat-protection/auditing/event-4911.md | 6 +----- windows/security/threat-protection/auditing/event-4912.md | 6 +----- windows/security/threat-protection/auditing/event-4913.md | 6 +----- windows/security/threat-protection/auditing/event-4928.md | 6 +----- windows/security/threat-protection/auditing/event-4929.md | 6 +----- windows/security/threat-protection/auditing/event-4930.md | 6 +----- windows/security/threat-protection/auditing/event-4931.md | 6 +----- windows/security/threat-protection/auditing/event-4932.md | 6 +----- windows/security/threat-protection/auditing/event-4933.md | 6 +----- windows/security/threat-protection/auditing/event-4934.md | 6 +----- windows/security/threat-protection/auditing/event-4935.md | 6 +----- windows/security/threat-protection/auditing/event-4936.md | 6 +----- windows/security/threat-protection/auditing/event-4937.md | 6 +----- windows/security/threat-protection/auditing/event-4944.md | 6 +----- windows/security/threat-protection/auditing/event-4945.md | 6 +----- windows/security/threat-protection/auditing/event-4946.md | 6 +----- windows/security/threat-protection/auditing/event-4947.md | 6 +----- windows/security/threat-protection/auditing/event-4948.md | 6 +----- windows/security/threat-protection/auditing/event-4949.md | 6 +----- 25 files changed, 25 insertions(+), 125 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md index 65338f9f64..2bc2194af3 100644 --- a/windows/security/threat-protection/auditing/event-4905.md +++ b/windows/security/threat-protection/auditing/event-4905.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4905(S): An attempt was made to unregister a security event source. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4905 illustration diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md index 49269c1eb3..5f8556c594 100644 --- a/windows/security/threat-protection/auditing/event-4906.md +++ b/windows/security/threat-protection/auditing/event-4906.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4906(S): The CrashOnAuditFail value has changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4906 illustration diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index e8f78c11b1..54960760dd 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4907(S): Auditing settings on object were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4907 illustration diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index 3a12a949e0..4b00b7dc48 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4908(S): Special Groups Logon table modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4908 illustration diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md index 9c3b067418..77f5ddd123 100644 --- a/windows/security/threat-protection/auditing/event-4909.md +++ b/windows/security/threat-protection/auditing/event-4909.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4909(-): The local policy settings for the TBS were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md index 948c3a6dab..0c3e27cbcd 100644 --- a/windows/security/threat-protection/auditing/event-4910.md +++ b/windows/security/threat-protection/auditing/event-4910.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4910(-): The group policy settings for the TBS were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index cf47c889e0..34506e27c7 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4911(S): Resource attributes of the object were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4911 illustration diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index e4bc6d9d43..cd13c3c6ed 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4912(S): Per User Audit Policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4912 illustration diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 51ff7291cb..88f5b9912c 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4913(S): Central Access Policy on the object was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4913 illustration diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 166bc42cf3..c771de77c7 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4928(S, F): An Active Directory replica source naming context was established. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4928 illustration diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index ab04f9ab17..8befaf8042 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4929(S, F): An Active Directory replica source naming context was removed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4929 illustration diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index 3897b1bd01..9b7133cbec 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4930(S, F): An Active Directory replica source naming context was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4930 illustration diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index dfb00ceb91..9be2c0b308 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4931(S, F): An Active Directory replica destination naming context was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4931 illustration diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md index 13f42ce386..2fe1488145 100644 --- a/windows/security/threat-protection/auditing/event-4932.md +++ b/windows/security/threat-protection/auditing/event-4932.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4932(S): Synchronization of a replica of an Active Directory naming context has begun. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4932 illustration diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md index b4f0784a45..763c17876e 100644 --- a/windows/security/threat-protection/auditing/event-4933.md +++ b/windows/security/threat-protection/auditing/event-4933.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4933 illustration diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md index ffc4b9b4a3..edfe9bb645 100644 --- a/windows/security/threat-protection/auditing/event-4934.md +++ b/windows/security/threat-protection/auditing/event-4934.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4934(S): Attributes of an Active Directory object were replicated. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when attributes of an Active Directory object were replicated. diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md index f2910784e6..6473cffbe6 100644 --- a/windows/security/threat-protection/auditing/event-4935.md +++ b/windows/security/threat-protection/auditing/event-4935.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4935(F): Replication failure begins. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4935 illustration diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md index 3f808bf11d..e87cf4d53e 100644 --- a/windows/security/threat-protection/auditing/event-4936.md +++ b/windows/security/threat-protection/auditing/event-4936.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4936(S): Replication failure ends. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when Active Directory replication failure ends. diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md index 2775be1c5d..6c1f85f0a7 100644 --- a/windows/security/threat-protection/auditing/event-4937.md +++ b/windows/security/threat-protection/auditing/event-4937.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4937(S): A lingering object was removed from a replica. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when a [lingering object](https://support.microsoft.com/kb/910205) was removed from a replica. diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md index 3821d18e1b..046a35e163 100644 --- a/windows/security/threat-protection/auditing/event-4944.md +++ b/windows/security/threat-protection/auditing/event-4944.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4944(S): The following policy was active when the Windows Firewall started. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4944 illustration diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index da8105bffc..c76d313b14 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4945(S): A rule was listed when the Windows Firewall started. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4945 illustration diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 30ae25fd28..4279a425ff 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4946(S): A change has been made to Windows Firewall exception list. A rule was added. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4946 illustration diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md index b38eef6371..48613fd427 100644 --- a/windows/security/threat-protection/auditing/event-4947.md +++ b/windows/security/threat-protection/auditing/event-4947.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4947(S): A change has been made to Windows Firewall exception list. A rule was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4947 illustration diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 5f92a37c6a..6d0290f772 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4948 illustration diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md index e304844bc8..50b400ce2d 100644 --- a/windows/security/threat-protection/auditing/event-4949.md +++ b/windows/security/threat-protection/auditing/event-4949.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4949(S): Windows Firewall settings were restored to the default values. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4949 illustration From 5560b9a18f1489911bafe6eee17ab150ce35ea7a Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Wed, 8 Sep 2021 14:54:25 +0530 Subject: [PATCH 12/38] Updated as per 5358843-files226to250 --- windows/security/threat-protection/auditing/event-4950.md | 6 +----- windows/security/threat-protection/auditing/event-4951.md | 6 +----- windows/security/threat-protection/auditing/event-4952.md | 6 +----- windows/security/threat-protection/auditing/event-4953.md | 6 +----- windows/security/threat-protection/auditing/event-4954.md | 6 +----- windows/security/threat-protection/auditing/event-4956.md | 6 +----- windows/security/threat-protection/auditing/event-4957.md | 6 +----- windows/security/threat-protection/auditing/event-4958.md | 6 +----- windows/security/threat-protection/auditing/event-4964.md | 6 +----- windows/security/threat-protection/auditing/event-4985.md | 6 +----- windows/security/threat-protection/auditing/event-5024.md | 6 +----- windows/security/threat-protection/auditing/event-5025.md | 6 +----- windows/security/threat-protection/auditing/event-5027.md | 6 +----- windows/security/threat-protection/auditing/event-5028.md | 6 +----- windows/security/threat-protection/auditing/event-5029.md | 6 +----- windows/security/threat-protection/auditing/event-5030.md | 6 +----- windows/security/threat-protection/auditing/event-5031.md | 7 +------ windows/security/threat-protection/auditing/event-5032.md | 6 +----- windows/security/threat-protection/auditing/event-5033.md | 6 +----- windows/security/threat-protection/auditing/event-5034.md | 6 +----- windows/security/threat-protection/auditing/event-5035.md | 6 +----- windows/security/threat-protection/auditing/event-5037.md | 6 +----- windows/security/threat-protection/auditing/event-5038.md | 6 +----- windows/security/threat-protection/auditing/event-5039.md | 6 +----- windows/security/threat-protection/auditing/event-5051.md | 6 +----- 25 files changed, 25 insertions(+), 126 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index 54ead99c65..90fdd4b72d 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4950(S): A Windows Firewall setting has changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4950 illustration diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index 4a2c32b9e2..65357fc8cf 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4951 illustration diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md index 150a0ac97d..abd1012a90 100644 --- a/windows/security/threat-protection/auditing/event-4952.md +++ b/windows/security/threat-protection/auditing/event-4952.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. -**Applies to** -- Windows 10 -- Windows Server 2016 - When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions. diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index 38d9aa6a3d..d35205d2e8 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4953(F): Windows Firewall ignored a rule because it could not be parsed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4953 illustration diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md index 99bb6457e2..f671cef1ef 100644 --- a/windows/security/threat-protection/auditing/event-4954.md +++ b/windows/security/threat-protection/auditing/event-4954.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4954 illustration diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md index 34d36fa5d0..c56a466f9f 100644 --- a/windows/security/threat-protection/auditing/event-4956.md +++ b/windows/security/threat-protection/auditing/event-4956.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4956(S): Windows Firewall has changed the active profile. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4956 illustration diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index 8b822ee84c..a34de9e92f 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4957(F): Windows Firewall did not apply the following rule. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4957 illustration diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index 05922fd7a7..7bb37f579a 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied. diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index 0ee97ac194..b83f63788a 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4964(S): Special groups have been assigned to a new logon. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4964 illustration diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md index c57db1916e..ee97d237fc 100644 --- a/windows/security/threat-protection/auditing/event-4985.md +++ b/windows/security/threat-protection/auditing/event-4985.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4985(S): The state of a transaction has changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4985 illustration diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md index b24cd95e31..6f42905b26 100644 --- a/windows/security/threat-protection/auditing/event-5024.md +++ b/windows/security/threat-protection/auditing/event-5024.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5024(S): The Windows Firewall Service has started successfully. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5024 illustration diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md index a9a3c5e14b..51c4600f15 100644 --- a/windows/security/threat-protection/auditing/event-5025.md +++ b/windows/security/threat-protection/auditing/event-5025.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5025(S): The Windows Firewall Service has been stopped. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5025 illustration diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md index 4ea2177c6b..85afaa1f92 100644 --- a/windows/security/threat-protection/auditing/event-5027.md +++ b/windows/security/threat-protection/auditing/event-5027.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5027 illustration diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md index 9ab51ca985..8835c0a855 100644 --- a/windows/security/threat-protection/auditing/event-5028.md +++ b/windows/security/threat-protection/auditing/event-5028.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5028 illustration diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md index 46d9b7b3e7..6e8bfab573 100644 --- a/windows/security/threat-protection/auditing/event-5029.md +++ b/windows/security/threat-protection/auditing/event-5029.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows logs an error if either the Windows Firewall service or its driver fails to start, or if they unexpectedly terminate. The error message indicates the cause of the service failure by including an error code in the text of the message. diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index de68bc30db..175e125235 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5030(F): The Windows Firewall Service failed to start. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message. diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index df9881e050..8a10a69008 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -10,17 +10,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp +ms.date: 09/08/2021 ms.technology: mde --- # 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. -**Applies to** -- Windows 10 -- Windows Server 2016 -- Windows Server 2012 R2 -- Windows Server 2012 - Event 5031 illustration diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md index a356c6ba72..235d9fd8d3 100644 --- a/windows/security/threat-protection/auditing/event-5032.md +++ b/windows/security/threat-protection/auditing/event-5032.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future. diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md index 05552da629..e664ac846b 100644 --- a/windows/security/threat-protection/auditing/event-5033.md +++ b/windows/security/threat-protection/auditing/event-5033.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5033(S): The Windows Firewall Driver has started successfully. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5033 illustration diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md index 7cef4c54e0..e447aeb0e7 100644 --- a/windows/security/threat-protection/auditing/event-5034.md +++ b/windows/security/threat-protection/auditing/event-5034.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5034(S): The Windows Firewall Driver was stopped. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5034 illustration diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md index 6b9d8a9488..0bc400131b 100644 --- a/windows/security/threat-protection/auditing/event-5035.md +++ b/windows/security/threat-protection/auditing/event-5035.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5035(F): The Windows Firewall Driver failed to start. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message. diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md index a189ce3f21..c36c375902 100644 --- a/windows/security/threat-protection/auditing/event-5037.md +++ b/windows/security/threat-protection/auditing/event-5037.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message. diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 2dc28bef2e..996a74d7b5 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. -**Applies to** -- Windows 10 -- Windows Server 2016 - The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index fda19e5f16..09baf51880 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5039(-): A registry key was virtualized. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 3ac07671d2..e9e1bea6c6 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5051(-): A file was virtualized. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). From 200e433c34a8345da5c3c53ee322d5c2265ff368 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Wed, 8 Sep 2021 15:53:31 +0530 Subject: [PATCH 13/38] Updated as per 5358843-files251to275 --- windows/security/threat-protection/auditing/event-5056.md | 6 +----- windows/security/threat-protection/auditing/event-5057.md | 6 +----- windows/security/threat-protection/auditing/event-5058.md | 6 +----- windows/security/threat-protection/auditing/event-5059.md | 6 +----- windows/security/threat-protection/auditing/event-5060.md | 6 +----- windows/security/threat-protection/auditing/event-5061.md | 6 +----- windows/security/threat-protection/auditing/event-5062.md | 6 +----- windows/security/threat-protection/auditing/event-5063.md | 6 +----- windows/security/threat-protection/auditing/event-5064.md | 6 +----- windows/security/threat-protection/auditing/event-5065.md | 6 +----- windows/security/threat-protection/auditing/event-5066.md | 6 +----- windows/security/threat-protection/auditing/event-5067.md | 6 +----- windows/security/threat-protection/auditing/event-5068.md | 6 +----- windows/security/threat-protection/auditing/event-5069.md | 6 +----- windows/security/threat-protection/auditing/event-5070.md | 6 +----- windows/security/threat-protection/auditing/event-5136.md | 6 +----- windows/security/threat-protection/auditing/event-5137.md | 6 +----- windows/security/threat-protection/auditing/event-5138.md | 6 +----- windows/security/threat-protection/auditing/event-5139.md | 6 +----- windows/security/threat-protection/auditing/event-5140.md | 6 +----- windows/security/threat-protection/auditing/event-5141.md | 6 +----- windows/security/threat-protection/auditing/event-5142.md | 6 +----- windows/security/threat-protection/auditing/event-5143.md | 6 +----- windows/security/threat-protection/auditing/event-5144.md | 6 +----- windows/security/threat-protection/auditing/event-5145.md | 6 +----- 25 files changed, 25 insertions(+), 125 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index a717d05e4a..96af867108 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5056(S): A cryptographic self-test was performed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index c83ca8bd2e..5d686b4510 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5057(F): A cryptographic primitive operation failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in case of CNG primitive operation failure. diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index b351ee93e6..319ffe99f0 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5058(S, F): Key file operation. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5058 illustration diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md index 5881e672d5..ff33eba467 100644 --- a/windows/security/threat-protection/auditing/event-5059.md +++ b/windows/security/threat-protection/auditing/event-5059.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5059(S, F): Key migration operation. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5059 illustration diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index 11b9903d5d..23fa5c78d9 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5060(F): Verification operation failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when the Cryptographic Next Generation (CNG) verification operation fails. diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index 7612017713..919d66a79c 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5061(S, F): Cryptographic operation. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5061 illustration diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md index e397844d41..242721afc4 100644 --- a/windows/security/threat-protection/auditing/event-5062.md +++ b/windows/security/threat-protection/auditing/event-5062.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5062(S): A kernel-mode cryptographic self-test was performed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event occurs rarely, and in some situations may be difficult to reproduce. diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index e06e3118a6..020b7ebc4c 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5063(S, F): A cryptographic provider operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions. diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 077fadf9f7..2532a3b70b 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5064(S, F): A cryptographic context operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions. diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 3a64e39e7f..0bbc9ae5c7 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5065(S, F): A cryptographic context modification was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 52fca7414b..eebc61873d 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5066(S, F): A cryptographic function operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions. diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 245b241e69..a3ca03be65 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5067(S, F): A cryptographic function modification was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index 1cb02be991..645868eeca 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5068(S, F): A cryptographic function provider operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions. diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index 742188905d..50d95a9aff 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5069(S, F): A cryptographic function property operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index 9893a7116b..e279ab685d 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5070(S, F): A cryptographic function property modification was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index 1b62c11bab..d83424aac5 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5136(S): A directory service object was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5136 illustration diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index 0146958e61..65f8370ad0 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5137(S): A directory service object was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5137 illustration diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 2553251b75..4fa35c7f07 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5138(S): A directory service object was undeleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5138 illustration diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index c7f306eab0..43eacd93d9 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5139(S): A directory service object was moved. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5139 illustration diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index 199e5a4cd7..eb389fe767 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5140(S, F): A network share object was accessed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5140 illustration diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index 7d85f444d4..8da8b7d590 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5141(S): A directory service object was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5141 illustration diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index d29c26ddc4..b72ef6d776 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5142(S): A network share object was added. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5142 illustration diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index bc8f827e03..d173059b23 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5143(S): A network share object was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5143 illustration diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 886dc70759..937bc39ce4 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5144(S): A network share object was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5144 illustration diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 933ab84191..1bf796cf9f 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5145(S, F): A network share object was checked to see whether client can be granted desired access. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5145 illustration From 961fa414d108e1e43a906ad646ec82a7c5038e91 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Wed, 8 Sep 2021 17:40:48 +0530 Subject: [PATCH 14/38] Updated as per 5358843-files276to300 --- windows/security/threat-protection/auditing/event-5148.md | 6 +----- windows/security/threat-protection/auditing/event-5149.md | 6 +----- windows/security/threat-protection/auditing/event-5150.md | 6 +----- windows/security/threat-protection/auditing/event-5151.md | 6 +----- windows/security/threat-protection/auditing/event-5152.md | 6 +----- windows/security/threat-protection/auditing/event-5153.md | 6 +----- windows/security/threat-protection/auditing/event-5154.md | 6 +----- windows/security/threat-protection/auditing/event-5155.md | 6 +----- windows/security/threat-protection/auditing/event-5156.md | 6 +----- windows/security/threat-protection/auditing/event-5157.md | 6 +----- windows/security/threat-protection/auditing/event-5158.md | 6 +----- windows/security/threat-protection/auditing/event-5159.md | 6 +----- windows/security/threat-protection/auditing/event-5168.md | 6 +----- windows/security/threat-protection/auditing/event-5376.md | 6 +----- windows/security/threat-protection/auditing/event-5377.md | 6 +----- windows/security/threat-protection/auditing/event-5378.md | 6 +----- windows/security/threat-protection/auditing/event-5447.md | 6 +----- windows/security/threat-protection/auditing/event-5632.md | 6 +----- windows/security/threat-protection/auditing/event-5633.md | 6 +----- windows/security/threat-protection/auditing/event-5712.md | 6 +----- windows/security/threat-protection/auditing/event-5888.md | 6 +----- windows/security/threat-protection/auditing/event-5889.md | 6 +----- windows/security/threat-protection/auditing/event-5890.md | 6 +----- windows/security/threat-protection/auditing/event-6144.md | 6 +----- windows/security/threat-protection/auditing/event-6145.md | 6 +----- 25 files changed, 25 insertions(+), 125 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 23a31eb1a6..1946129b9b 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 05/29/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. -**Applies to** -- Windows 10 -- Windows Server 2016 - In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected. diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 04f6c8747a..467c7145cc 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 05/29/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5149(F): The DoS attack has subsided and normal processing is being resumed. -**Applies to** -- Windows 10 -- Windows Server 2016 - In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended. diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 7e8b6a5cc1..9d9c830f21 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5150(-): The Windows Filtering Platform blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if the Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 611541553e..6601b86883 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if a more restrictive Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index cb8da40be3..d4bcbf8042 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5152(F): The Windows Filtering Platform blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5152 illustration diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index ce3f53f60d..eee4621b4d 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index ea9c8ea638..6d0b939b64 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5154 illustration diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index d00134db41..166520ef13 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. -**Applies to** -- Windows 10 -- Windows Server 2016 - By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself. diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index b7aa9709b2..d0af703c34 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5156(S): The Windows Filtering Platform has permitted a connection. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5156 illustration diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index 73d84e9d53..c20c64f670 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5157(F): The Windows Filtering Platform has blocked a connection. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5157 illustration diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index d863b08c36..f35938a490 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5158(S): The Windows Filtering Platform has permitted a bind to a local port. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5158 illustration diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index fb896131ac..95ac21b41a 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5159(F): The Windows Filtering Platform has blocked a bind to a local port. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5159 illustration diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index bb9371baff..5d1e8bf0d8 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5168(F): SPN check for SMB/SMB2 failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5168 illustration diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index 3cbb58cf29..1b77d59d7e 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5376(S): Credential Manager credentials were backed up. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5376 illustration diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index 3be670da7b..82af29b1d7 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5377(S): Credential Manager credentials were restored from a backup. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5377 illustration diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index 0025f40837..7880067fb3 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5378(F): The requested credentials delegation was disallowed by policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5378 illustration diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index 2b5c265e83..c7e89a3513 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5447(S): A Windows Filtering Platform filter has been changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5447 illustration diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index ad0e108238..fd3345a565 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5632(S, F): A request was made to authenticate to a wireless network. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5632 illustration diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index ba78854b75..d72afb75da 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5633(S, F): A request was made to authenticate to a wired network. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5633 illustration diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index 5bb81e6f09..48363c3beb 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5712(S): A Remote Procedure Call (RPC) was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - It appears that this event never occurs. diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 8d2ea38fcb..4a22ab0013 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5888(S): An object in the COM+ Catalog was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5888 illustration diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index e3d65ee453..d0d9842512 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5889(S): An object was deleted from the COM+ Catalog. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5889 illustration diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index 9b7a9f515c..f7bf90b524 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5890(S): An object was added to the COM+ Catalog. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5890 illustration diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 7565e8f794..0ed126dc60 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6144(S): Security policy in the group policy objects has been applied successfully. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6144 illustration diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index b70a0844a2..ff67ad627d 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6145(F): One or more errors occurred while processing security policy in the group policy objects. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6145 illustration From aba3cec174bc60c9da8efef4e5242479b755878c Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Thu, 9 Sep 2021 11:40:01 +0530 Subject: [PATCH 15/38] Updated as per 5358843-files301to325 --- windows/security/threat-protection/auditing/event-6281.md | 6 +----- windows/security/threat-protection/auditing/event-6400.md | 6 +----- windows/security/threat-protection/auditing/event-6401.md | 6 +----- windows/security/threat-protection/auditing/event-6402.md | 6 +----- windows/security/threat-protection/auditing/event-6403.md | 6 +----- windows/security/threat-protection/auditing/event-6404.md | 6 +----- windows/security/threat-protection/auditing/event-6405.md | 6 +----- windows/security/threat-protection/auditing/event-6406.md | 6 +----- windows/security/threat-protection/auditing/event-6407.md | 6 +----- windows/security/threat-protection/auditing/event-6408.md | 6 +----- windows/security/threat-protection/auditing/event-6409.md | 6 +----- windows/security/threat-protection/auditing/event-6410.md | 6 +----- windows/security/threat-protection/auditing/event-6416.md | 6 +----- windows/security/threat-protection/auditing/event-6419.md | 6 +----- windows/security/threat-protection/auditing/event-6420.md | 6 +----- windows/security/threat-protection/auditing/event-6421.md | 6 +----- windows/security/threat-protection/auditing/event-6422.md | 6 +----- windows/security/threat-protection/auditing/event-6423.md | 6 +----- windows/security/threat-protection/auditing/event-6424.md | 6 +----- .../auditing/file-system-global-object-access-auditing.md | 4 +--- .../auditing/how-to-list-xml-elements-in-eventdata.md | 4 +--- .../monitor-central-access-policy-and-rule-definitions.md | 4 +--- .../threat-protection/auditing/monitor-claim-types.md | 4 +--- .../auditing/monitor-resource-attribute-definitions.md | 4 +--- ...ral-access-policies-associated-with-files-and-folders.md | 4 +--- 25 files changed, 25 insertions(+), 113 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index e6ec5bea59..28b9c2e509 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. -**Applies to** -- Windows 10 -- Windows Server 2016 - The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index 511aeb3ae9..214d0c5b93 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 829c3215c9..7ae7c5a3ab 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6401(-): BranchCache: Received invalid data from a peer. Data discarded. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 2aee0f9232..ca0ea21dbe 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index ec9028c852..dfa11c62ac 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index eaa912b6e3..fb4bccd26f 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index fc188cce3b..557c8ebabe 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6405(-): BranchCache: %2 instance(s) of event id %1 occurred. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index 689085b2fd..dbaeb0e873 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index 3273efaba1..28612dacba 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6407(-): 1%. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index 7b29a0468c..c36f520a60 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index 6855ea810d..1ac08c75f1 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6409(-): BranchCache: A service connection point object could not be parsed. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index a306a98882..a9f5e5111f 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process. -**Applies to** -- Windows 10 -- Windows Server 2016 - [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 4b85673aa7..337a5395be 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6416(S): A new external device was recognized by the System. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6416 illustration diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index 90c145ff77..69a6f30def 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6419(S): A request was made to disable a device. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6419 illustration diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index 51570d3ab3..3a2dc5c9d9 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6420(S): A device was disabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6420 illustration diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index ef4e0b856f..8ac5372312 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6421(S): A request was made to enable a device. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6421 illustration diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index 2b2f45d1b8..7e577f25c3 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6422(S): A device was enabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6422 illustration diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index 3332a01011..5f8278b20e 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6423(S): The installation of this device is forbidden by system policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6423 illustration diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index 8ca1ce36d6..ba3fcbffe7 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6424(S): The installation of this device was allowed, after having previously been forbidden by policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event occurs rarely, and in some situations may be difficult to reproduce. diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index 1093140e38..9c7941df2b 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # File System (Global Object Access Auditing) -**Applies to** -- Windows 10 This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer. diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index 1efc819647..cc3bf79488 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 10/22/2018 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,8 +16,6 @@ ms.technology: mde # How to get a list of XML data name elements in EventData -**Applies to** -- Windows 10 The Security log uses a manifest where you can get all of the event schema. diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index 3c07a1dae0..c446bdec67 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor central access policy and rule definitions -**Applies to** -- Windows 10 This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md index baf7d9e8a7..b9e1ea714f 100644 --- a/windows/security/threat-protection/auditing/monitor-claim-types.md +++ b/windows/security/threat-protection/auditing/monitor-claim-types.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor claim types -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md index ed4d03037f..791549bb4f 100644 --- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor resource attribute definitions -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object. diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index f034f7c0fc..ece759aeb6 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the central access policies associated with files and folders -**Applies to** -- Windows 10 This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. From 64a004b6725c82409b78a0e0d29a13143e745550 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Thu, 9 Sep 2021 12:12:20 +0530 Subject: [PATCH 16/38] Updated as per 5358843-files326to336 --- ...e-central-access-policies-that-apply-on-a-file-server.md | 4 +--- .../monitor-the-resource-attributes-on-files-and-folders.md | 4 +--- .../monitor-the-use-of-removable-storage-devices.md | 4 +--- .../monitor-user-and-device-claims-during-sign-in.md | 4 +--- windows/security/threat-protection/auditing/other-events.md | 6 +----- ...anning-and-deploying-advanced-security-audit-policies.md | 4 +--- .../auditing/registry-global-object-access-auditing.md | 4 +--- .../auditing/security-auditing-overview.md | 4 +--- ...ing-options-to-monitor-dynamic-access-control-objects.md | 4 +--- .../auditing/view-the-security-event-log.md | 4 +--- ...f-windows-support-advanced-audit-policy-configuration.md | 4 +--- 11 files changed, 11 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 12dedf0d60..2d50a5c7db 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the central access policies that apply on a file server -**Applies to** -- Windows 10 This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management. diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index f1676a1640..f223b3433d 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the resource attributes on files and folders -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 04ac1c7929..af897bbd62 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the use of removable storage devices -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index edaf8e590f..7f950dd7b1 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor user and device claims during sign-in -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md index e74cf80553..a54f6a6f1c 100644 --- a/windows/security/threat-protection/auditing/other-events.md +++ b/windows/security/threat-protection/auditing/other-events.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # Other Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Events in this section generate automatically and are enabled by default. diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index 068c8792d4..d47efbedbf 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Plan and deploy advanced security audit policies -**Applies to** -- Windows 10 This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md index 3c5c1ece1e..a01a3a3514 100644 --- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Registry (Global Object Access Auditing) -**Applies to** -- Windows 10 This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer. diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index ec89d5ef53..fb1184eed7 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Security auditing -**Applies to** -- Windows 10 Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 6e90c989e0..dd8bb6516d 100644 --- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Using advanced security auditing options to monitor dynamic access control objects -**Applies to** -- Windows 10 This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index 84a296e182..5b89a3802e 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # View the security event log -**Applies to** -- Windows 10 The security log records each event as defined by the audit policies you set on each object. diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 4b20841dd8..8e1db3e1b0 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Which editions of Windows support advanced audit policy configuration -**Applies to** -- Windows 10 Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista. There is no difference in security auditing support between 32-bit and 64-bit versions. From 6a4dabdafe3f88d9fb3b108aca7c08ecc57debd6 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 15 Sep 2021 11:54:17 +0530 Subject: [PATCH 17/38] Updated Policy-CSP-Experience with Feeds Policy Updated policy settings in Experience with Feeds --- .../mdm/policy-csp-experience.md | 550 +++++++++++------- 1 file changed, 341 insertions(+), 209 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index ff50ae9cb0..697cc4af50 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -37,9 +37,6 @@ manager: dansimp
Experience/AllowManualMDMUnenrollment
-
- Experience/AllowNewsAndInterestsOnTheTaskbar -
Experience/AllowSaveAsOfOfficeFiles
@@ -88,6 +85,9 @@ manager: dansimp
Experience/DoNotSyncBrowserSettings
+
+ Experience/Feeds +
Experience/PreventUsersFromTurningOnBrowserSyncing
@@ -105,28 +105,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -184,28 +190,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -252,28 +264,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -314,28 +332,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -384,28 +408,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -442,65 +472,6 @@ The following list shows the supported values:
- - -**Experience/AllowNewsAndInterestsOnTheTaskbar** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
- - - -Specifies whether to allow "News and interests" on the Taskbar. - - - -The values for this policy are 1 and 0. This policy defaults to 1. - -- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. - -- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. - - - - -
Experience/AllowSaveAsOfOfficeFiles @@ -531,28 +502,34 @@ This policy is deprecated. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -589,28 +566,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -665,28 +648,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -735,28 +724,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -808,28 +803,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -880,28 +881,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -951,28 +958,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1021,28 +1034,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -1093,28 +1112,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1159,28 +1184,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1217,28 +1248,34 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -1286,28 +1323,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark9YesYes
Procheck mark9YesYes
Businesscheck mark9YesYes
Enterprisecheck mark9YesYes
Educationcheck mark9YesYes
@@ -1356,28 +1399,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -1426,28 +1475,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -1514,34 +1569,105 @@ _**Turn syncing off by default but don’t disable**_
+ +**Experience/Feeds** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies whether "Feeds" is enabled on the taskbar. + + + +The values for this policy are 1 and 0. This policy defaults to 1. + +- 1 - Default - "Feeds" feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. + +- 0 - "Feeds" feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. + + + + +
+ **Experience/PreventUsersFromTurningOnBrowserSyncing** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -1615,28 +1741,34 @@ Validation procedure: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
From f58bdbb941fec3bd6d7cd9afc278f9d2d54246a6 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 15:15:39 +0530 Subject: [PATCH 18/38] Up --- ...in-policy-csp-supported-by-group-policy.md | 1 + .../policy-configuration-service-provider.md | 8 ++ .../mdm/policy-csp-experience.md | 70 -------------- .../client-management/mdm/policy-csp-feeds.md | 94 +++++++++++++++++++ 4 files changed, 103 insertions(+), 70 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-feeds.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index d7d340e2b5..eee115e673 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -262,6 +262,7 @@ ms.date: 07/18/2019 - [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) +- [Feeds/FeedsEnabled](./policy-csp-feeds-feedsenabled.md#feeds-feedsenabled) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) - [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6922bada43..d55c3144ba 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6025,6 +6025,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### Feeds policies + +
+
+ Feeds/FeedsEnabled +
+
+ ### FileExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 697cc4af50..27eaa323af 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -85,9 +85,6 @@ manager: dansimp
Experience/DoNotSyncBrowserSettings
-
- Experience/Feeds -
Experience/PreventUsersFromTurningOnBrowserSyncing
@@ -1567,73 +1564,6 @@ _**Turn syncing off by default but don’t disable**_ -
- - -**Experience/Feeds** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether "Feeds" is enabled on the taskbar. - - - -The values for this policy are 1 and 0. This policy defaults to 1. - -- 1 - Default - "Feeds" feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. - -- 0 - "Feeds" feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. - - - - -
- **Experience/PreventUsersFromTurningOnBrowserSyncing** diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md new file mode 100644 index 0000000000..e0fca8ab18 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -0,0 +1,94 @@ +--- +title: Policy CSP - Feeds +description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - Feeds + + +
+ + +## Feeds policies + +
+
+ Feeds/FeedsEnabled +
+
+ + +
+ + +**Feeds/FeedsEnabled** + +< + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +Specifies whether "Feeds" is enabled on the taskbar. + +The values for this policy are 1 and 0. This policy defaults to 1. + +1 - Default - "Feeds" feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. + +0 - "Feeds" feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. + + + + + From a34f21eac242530f27f1b80afc05b3f33409c00a Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 15:23:03 +0530 Subject: [PATCH 19/38] Update toc.yml --- windows/client-management/mdm/toc.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 04c1850c2f..354021ef05 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -705,6 +705,8 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games From 18f536a2b00f8110d147ca856089731b0adaabf5 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 17:19:56 +0530 Subject: [PATCH 20/38] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + ...in-policy-csp-supported-by-group-policy.md | 1 - .../policy-configuration-service-provider.md | 15 ++- .../mdm/policy-csp-admx-feeds.md | 111 ++++++++++++++++++ .../client-management/mdm/policy-csp-feeds.md | 94 --------------- 5 files changed, 119 insertions(+), 103 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-feeds.md delete mode 100644 windows/client-management/mdm/policy-csp-feeds.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 586e5edcc6..282b9ad9c4 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -280,6 +280,7 @@ ms.date: 10/08/2020 - [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) - [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) - [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) +- [ADMX_Feeds/FeedsEnabled](./policy-csp-admx-feeds.md#admx-feeds-feedsEnabled) - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index eee115e673..d7d340e2b5 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -262,7 +262,6 @@ ms.date: 07/18/2019 - [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) -- [Feeds/FeedsEnabled](./policy-csp-feeds-feedsenabled.md#feeds-feedsenabled) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) - [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index d55c3144ba..fa753bd3f4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1144,6 +1144,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_Feeds policies +
+
+ ADMX_Feeds/FeedsEnabled +
+
+ ### ADMX_FileRecovery policies
@@ -6025,14 +6032,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-### Feeds policies - -
-
- Feeds/FeedsEnabled -
-
- ### FileExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-admx-feeds.md b/windows/client-management/mdm/policy-csp-admx-feeds.md new file mode 100644 index 0000000000..b96c8f3500 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-feeds.md @@ -0,0 +1,111 @@ +--- +title: Policy CSP - ADMX_Feeds +description: Policy CSP - ADMX_Feeds +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/16/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Feeds +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +
+
+ ADMX_Feeds/FeedsEnabled +
+
+ + +
+ + +**ADMX_Feeds/FeedsEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + + + + +This policy setting specifies whether news and interests is allowed on the device. + +The values for this policy are 1 and 0. This policy defaults to 1. + +- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. + +- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Enable news and interests on the taskbar.* +- GP name: *FeedsEnabled* +- GP path: *Windows Components\News and interests* +- GP ADMX file name: *Feeds.admx* + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md deleted file mode 100644 index e0fca8ab18..0000000000 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Policy CSP - Feeds -description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: dansimp ---- - -# Policy CSP - Feeds - - -
- - -## Feeds policies - -
-
- Feeds/FeedsEnabled -
-
- - -
- - -**Feeds/FeedsEnabled** - -< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -Specifies whether "Feeds" is enabled on the taskbar. - -The values for this policy are 1 and 0. This policy defaults to 1. - -1 - Default - "Feeds" feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. - -0 - "Feeds" feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. - - - - - From 3fe3d1ca56695eeb1683d1748a47d0140366939b Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 17:25:30 +0530 Subject: [PATCH 21/38] Update toc.yml --- windows/client-management/mdm/toc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 354021ef05..753d778986 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -480,7 +480,9 @@ items: - name: ADMX_Explorer href: policy-csp-admx-explorer.md - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md + href: policy-csp-admx-externalboot.md + - name: Feeds + href: policy-csp-admx-feeds.md - name: ADMX_FileRecovery href: policy-csp-admx-filerecovery.md - name: ADMX_FileRevocation @@ -705,8 +707,6 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md - - name: Feeds - href: policy-csp-feeds.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games From b6c6c91d1cc874cc45abb3ebf8723cc6b29dd6fb Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 17:30:43 +0530 Subject: [PATCH 22/38] Update policies-in-policy-csp-admx-backed.md --- .../client-management/mdm/policies-in-policy-csp-admx-backed.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 282b9ad9c4..e215f891b8 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -280,7 +280,7 @@ ms.date: 10/08/2020 - [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) - [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) - [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) -- [ADMX_Feeds/FeedsEnabled](./policy-csp-admx-feeds.md#admx-feeds-feedsEnabled) +- [ADMX_Feeds/FeedsEnabled](./policy-csp-admx-feeds.md#admx-feeds-feedsenabled) - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) From 3db89c2afdcc8d5d10e07ad603bb85bc7adc654e Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 17 Sep 2021 15:40:54 +0530 Subject: [PATCH 23/38] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 - .../policy-configuration-service-provider.md | 7 ---- ...-csp-admx-feeds.md => policy-csp-feeds.md} | 36 ++++++++----------- 3 files changed, 15 insertions(+), 29 deletions(-) rename windows/client-management/mdm/{policy-csp-admx-feeds.md => policy-csp-feeds.md} (53%) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index e215f891b8..586e5edcc6 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -280,7 +280,6 @@ ms.date: 10/08/2020 - [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) - [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) - [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) -- [ADMX_Feeds/FeedsEnabled](./policy-csp-admx-feeds.md#admx-feeds-feedsenabled) - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index fa753bd3f4..6922bada43 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1144,13 +1144,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-### ADMX_Feeds policies -
-
- ADMX_Feeds/FeedsEnabled -
-
- ### ADMX_FileRecovery policies
diff --git a/windows/client-management/mdm/policy-csp-admx-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md similarity index 53% rename from windows/client-management/mdm/policy-csp-admx-feeds.md rename to windows/client-management/mdm/policy-csp-feeds.md index b96c8f3500..bc8b0b1996 100644 --- a/windows/client-management/mdm/policy-csp-admx-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -1,27 +1,30 @@ --- -title: Policy CSP - ADMX_Feeds -description: Policy CSP - ADMX_Feeds +title: Policy CSP - Feeds +description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. +. ms.author: dansimp -ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows author: nimishasatapathy -ms.date: 09/16/2021 +ms.localizationpriority: medium +ms.date: 09/17/2021 ms.reviewer: manager: dansimp --- -# Policy CSP - ADMX_Feeds -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +# Policy CSP - Feeds + +
+## Feeds policies +
- ADMX_Feeds/FeedsEnabled + Feeds/FeedsEnabled
@@ -29,7 +32,7 @@ manager: dansimp
-**ADMX_Feeds/FeedsEnabled** +**Feeds/FeedsEnabled** @@ -74,9 +77,10 @@ manager: dansimp > [!div class = "checklist"] > * Machine +
+ - This policy setting specifies whether news and interests is allowed on the device. The values for this policy are 1 and 0. This policy defaults to 1. @@ -86,26 +90,16 @@ The values for this policy are 1 and 0. This policy defaults to 1. - 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: -- GP Friendly name: *Enable news and interests on the taskbar.* +- GP Friendly name: *Enable news and interests on the taskbar* - GP name: *FeedsEnabled* - GP path: *Windows Components\News and interests* - GP ADMX file name: *Feeds.admx* -
- -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. From babcc6903b7dce4cff2de4a1a24d6e6545e7a9e4 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Sat, 18 Sep 2021 16:19:51 +0530 Subject: [PATCH 24/38] conflict resolution --- windows/security/threat-protection/auditing/event-4776.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 7da08c0312..4f229b6fa2 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 09/07/2021 +ms.date: 09/13/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -146,4 +146,4 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun | **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. | | **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. | | **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. | -| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | \ No newline at end of file +| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | From f91a0d978bd2bcb6089c6ee698e050adb8d1d1ab Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Sat, 18 Sep 2021 16:37:27 +0530 Subject: [PATCH 25/38] conflict resolved --- windows/security/threat-protection/auditing/event-4776.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 4f229b6fa2..f56f581b2a 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -145,5 +145,5 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun | **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. | | **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. | | **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. | -| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. | -| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | +| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. | +| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | From 8448a97857577e19e94c129d751077dfd78310e3 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 20 Sep 2021 00:03:15 +0530 Subject: [PATCH 26/38] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../mdm/policy-configuration-service-provider.md | 7 +++++++ .../client-management/mdm/policy-csp-experience.md | 12 ++++++------ windows/client-management/mdm/policy-csp-feeds.md | 1 - windows/client-management/mdm/toc.yml | 2 ++ 5 files changed, 16 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 586e5edcc6..33771b68a4 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1431,6 +1431,7 @@ ms.date: 10/08/2020 - [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) - [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) - [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [Feeds/FeedsEnabled](./policy-csp-feeds.md#feeds-feedsenabled) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) - [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6922bada43..f5507cb383 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6025,6 +6025,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### Feeds policies +
+
+ Feeds/FeedsEnabled +
+
+ ### FileExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 27eaa323af..61abaceb22 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1192,22 +1192,22 @@ The following list shows the supported values:
- - + + - - + + - + - +
ProYesYesNoNo
BusinessYesYesNoNo
EnterpriseYesNo Yes
EducationYesNo Yes
diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index bc8b0b1996..7cf158d3b9 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -16,7 +16,6 @@ manager: dansimp # Policy CSP - Feeds -
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 753d778986..0abecf442a 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -707,6 +707,8 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feedsenabled.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games From 221bd0216a87203ad16cad9f41d87f72de15afdc Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 20 Sep 2021 00:10:38 +0530 Subject: [PATCH 27/38] Updated --- windows/client-management/mdm/policy-csp-feeds.md | 3 +-- windows/client-management/mdm/toc.yml | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index 7cf158d3b9..834c6f8226 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -1,8 +1,7 @@ --- title: Policy CSP - Feeds description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. -. -ms.author: dansimp +ms.author: v-nsatapathy ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 0abecf442a..5c32037d42 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -480,9 +480,7 @@ items: - name: ADMX_Explorer href: policy-csp-admx-explorer.md - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: Feeds - href: policy-csp-admx-feeds.md + href: policy-csp-admx-externalboot.md - name: ADMX_FileRecovery href: policy-csp-admx-filerecovery.md - name: ADMX_FileRevocation @@ -708,7 +706,7 @@ items: - name: ExploitGuard href: policy-csp-exploitguard.md - name: Feeds - href: policy-csp-feedsenabled.md + href: policy-csp-feeds.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games From 83de1a36e71618e763c3964eee0bacd496e385b8 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 20 Sep 2021 11:17:13 +0530 Subject: [PATCH 28/38] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../policy-configuration-service-provider.md | 8 ++ .../policy-csp-admx-locationprovideradm.md | 112 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 4 files changed, 123 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-locationprovideradm.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 33771b68a4..2cccb73779 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -423,6 +423,7 @@ ms.date: 10/08/2020 - [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) +- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1) - [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) - [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon) - [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f5507cb383..b65e797058 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1636,6 +1636,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_LocationProviderAdm policies + +
+
+ ADMX_LocationProviderAdm/BlockUserFromShowingAccountDetailsOnSignin +
+
+ ### ADMX_Logon policies
diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md new file mode 100644 index 0000000000..c1280d5f04 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -0,0 +1,112 @@ +--- +title: Policy CSP - ADMX_LocationProviderAdm +description: Policy CSP - ADMX_LocationProviderAdm +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/20/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_LocationProviderAdm +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_LocationProviderAdm policies + +
+
+ ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1 +
+
+ + +
+ + +**ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting turns off the Windows Location Provider feature for this computer. + +- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. + +- If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off Windows Location Provider* +- GP name: *DisableWindowsLocationProvider_1* +- GP path: *Windows Components\Location and Sensors\Windows Location Provider* +- GP ADMX file name: *LocationProviderAdm.admx* + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 5c32037d42..3af12f96b7 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -511,6 +511,8 @@ items: href: policy-csp-admx-lanmanworkstation.md - name: ADMX_LinkLayerTopologyDiscovery href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md - name: ADMX_Logon href: policy-csp-admx-logon.md - name: ADMX_MicrosoftDefenderAntivirus From 6d84f71eeb16a186c780a703f7bb007653d4d5f0 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 21 Sep 2021 10:13:18 +0530 Subject: [PATCH 29/38] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 - windows/client-management/mdm/policy-csp-feeds.md | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 2cccb73779..5ceb9db7c3 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1432,7 +1432,6 @@ ms.date: 10/08/2020 - [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) - [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) - [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [Feeds/FeedsEnabled](./policy-csp-feeds.md#feeds-feedsenabled) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) - [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index 834c6f8226..0f683d9be9 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -47,22 +47,22 @@ manager: dansimp Pro Yes - Yes + No Business Yes - Yes + No Enterprise Yes - Yes + No Education Yes - Yes + No From 910c4184e1d66e93e3c621d38eeb5b330803bb11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Tue, 21 Sep 2021 13:45:09 +0200 Subject: [PATCH 30/38] Make Domain Admins well-known SID consistent with others It was missing the "-21-" part which all other similar well-known have. For example, see just below: "Domain Computers" -> "S-1-5-21--515 --- .../access-control/active-directory-security-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 9b9c40977d..b14702f2e4 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -1489,7 +1489,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<domain>-512

+

S-1-5-21-<domain>-512

Type

From f6f5d1a98715fe82ef0abe8e52febb473ec05599 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Tue, 21 Sep 2021 15:08:30 +0200 Subject: [PATCH 31/38] Enterprise Read Only Domain Controllers (-498) are defined at forest root level --- .../access-control/active-directory-security-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 9b9c40977d..ab20f08979 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -1885,7 +1885,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-21-<domain>-498

+

S-1-5-21-<root domain>-498

Type

From 3778ff2e807d4b8965db0ce8d25a4c705ade4901 Mon Sep 17 00:00:00 2001 From: Kaushik Ainapure Date: Tue, 21 Sep 2021 18:56:56 +0530 Subject: [PATCH 32/38] Format changes with additional error codes 1. Updated article to include 17 additional error codes. 2. Updated article with H2 formatting for better discoverability of the error codes. ------- cc: @jaimeo --- .../update/windows-update-errors.md | 216 ++++++++++++++++-- 1 file changed, 196 insertions(+), 20 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index eb178f7528..982fac6d52 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -7,9 +7,9 @@ audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: +ms.reviewer: kaushika manager: laurawi -ms.topic: article +ms.topic: troubleshooting ms.custom: seo-marvel-apr2020 --- @@ -22,22 +22,198 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. +## 0x8024402F -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | -| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | -| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | + +## 0x80242006 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | + +## 0x80070BC9 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | + +## 0x80200053 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| + +## 0x80072EFD or 0x80072EFE or 0x80D02002 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | + +## 0X8007000D + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | + +## 0x8024A10A + +| Message | Description | Mitigation | +|---------|-------------|------------| +| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | + +## 0x80240020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | + +## 0x80242014 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | + +## 0x80246017 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| + +## 0x8024000B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | + +## 0x8024000E + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | + +## 0x8024D009 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | + +## 0x80244007 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + +## 0x80070422 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| + +## 0x800f0821 + + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| + +## 0x800f0825 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800F0920 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | + +## 0x800f081f + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800f0831 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80070005 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | + +## 0x80070570 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + + +## 0x80070003 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | + + +## 0x80070020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | + +## 0x80073701 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x8007371b + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80072EFE + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | + +## 0x80072F8F + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
https://*.update.microsoft.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://ntservicepack.microsoft.com | + +## 0x80240022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | + +## 0x8024401B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | + + +## 0x80244022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | From 8dc6c215513a38d68523028a8c101aec55d05cdd Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 21 Sep 2021 09:20:54 -0700 Subject: [PATCH 33/38] Update windows-update-errors.md Various typo, style, terminology, and capitalization fixes. --- .../update/windows-update-errors.md | 62 +++++++++---------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 982fac6d52..20dc038060 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -26,55 +26,55 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | +| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External .cab file processing completed with some errors | This can be caused by the Lightspeed Rocket for web filtering software.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed Rocket. | ## 0x80242006 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | +| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename the software redistribution folder and try to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | ## 0x80070BC9 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | +| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. Restart the system to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | ## 0x80200053 | Message | Description | Mitigation | |---------|-------------|------------| -| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| ## 0x80072EFD or 0x80072EFE or 0x80D02002 | Message | Description | Mitigation | |---------|-------------|------------| -| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | +| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxies that block Microsoft download URLs.
Take a network monitor trace to understand better. \ | ## 0X8007000D | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | +| ERROR_INVALID_DATA | Indicates data that isn't valid was downloaded or corruption occurred.| Attempt to re-download the update and start installation. | ## 0x8024A10A | Message | Description | Mitigation | |---------|-------------|------------| -| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity. The system fails to respond, leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the installation. | ## 0x80240020 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | +| WU_E_NO_INTERACTIVE_USER | Operation did not complete because no interactive user is signed in. | Sign in to the device to start the installation and allow the device to restart. | ## 0x80242014 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | +| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows updates require the device to be restarted. Restart the device to complete update installation. | ## 0x80246017 @@ -86,134 +86,134 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | ## 0x8024000E | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| WU_E_XML_INVALID | Windows Update Agent found information in the update's XML data that isn't valid. | Certain drivers contain additional metadata information in Update.xml, which Orchestrator can interpret as data that isn't valid. Ensure that you have the latest Windows Update Agent installed on the device. | ## 0x8024D009 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | ## 0x80244007 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows can't renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | ## 0x80070422 | Message | Description | Mitigation | |---------|-------------|------------| -| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| +| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running.
| ## 0x800f0821 | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the has installed the update in KB4493473 or later.| ## 0x800f0825 | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x800F0920 | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | +| CBS_E_HANG_DETECTED; A failure to respond was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has stopped responding. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the device has installed the update in KB4493473 or later.| ## 0x800f081f | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x800f0831 | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x80070005 | Message | Description | Mitigation | |---------|-------------|------------| -| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.
Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be acess denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. | ## 0x80070570 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device.| ## 0x80070003 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for “, error” and match with the timestamp. | ## 0x80070020 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon).
3. Run Procmon.exe. It will start data capture automatically.
4. Install the update package again
5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
9. Try to stop it or uninstall the process causing the error. | ## 0x80073701 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically, a component store corruption caused when a component is in a partially installed state. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x8007371b | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x80072EFE | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | +| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.
From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE*
Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you’re using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | ## 0x80072F8F | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/help/3140245/). ## 0x80072EE2 | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
https://*.update.microsoft.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://ntservicepack.microsoft.com | +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager.
Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures).
If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints:
`http://windowsupdate.microsoft.com`
https://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
https://*.update.microsoft.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://ntservicepack.microsoft.com | ## 0x80240022 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | +| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is that antivirus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | ## 0x8024401B | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | +| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own update source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager, due to a proxy error.
Verify the proxy settings on the client. The Windows Update Agent uses WinHTTP to scan for available updates. When there is a proxy server between the client and the update source, the proxy settings must be configured correctly on the clients to enable them to communicate by using the source's FQDN.
Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. | ## 0x80244022 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | +| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. | From f464d757d3934fe33f6dd79b8a7182417969ff3e Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 21 Sep 2021 09:52:50 -0700 Subject: [PATCH 34/38] Update windows-update-errors.md Fixing a link. --- windows/deployment/update/windows-update-errors.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 20dc038060..ac67414ec6 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -167,7 +167,7 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon).
3. Run Procmon.exe. It will start data capture automatically.
4. Install the update package again
5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
9. Try to stop it or uninstall the process causing the error. | +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon).
3. Run Procmon.exe. It will start data capture automatically.
4. Install the update package again
5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
9. Try to stop it or uninstall the process causing the error. | ## 0x80073701 From 960c78b2cc51b5c256d6b39355da9d4814d1c56f Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Tue, 21 Sep 2021 10:36:31 -0700 Subject: [PATCH 35/38] Update vpnv2-csp.md From customer feedback -- IT admins should not use lots of DNS suffixes. Not only is there a limit to how many you can have, but each one makes name resolution slower. --- windows/client-management/mdm/vpnv2-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 1fed240483..291a8e0d58 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -591,7 +591,7 @@ Valid values: - True = Register the connection's addresses in DNS. **VPNv2/**ProfileName**/DnsSuffix** -Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. +Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance. Value type is chr. Supported operations include Get, Add, Replace, and Delete. From 2583871160dbacf2c3709a0978d9145b0dfb5531 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Sep 2021 10:43:36 -0700 Subject: [PATCH 36/38] Update vpnv2-csp.md --- windows/client-management/mdm/vpnv2-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 291a8e0d58..87588a2a0e 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 10/30/2020 +ms.date: 09/21/2021 --- # VPNv2 CSP From a3670fcf38b685ee62775e042cc75d4fed288735 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Sep 2021 10:46:08 -0700 Subject: [PATCH 37/38] Update active-directory-security-groups.md --- .../access-control/active-directory-security-groups.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index ab20f08979..35606ee96a 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -1,5 +1,5 @@ --- -title: Active Directory Security Groups (Windows 10) +title: Active Directory Security Groups description: Active Directory Security Groups ms.prod: w10 ms.mktglfcycl: deploy @@ -12,14 +12,15 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/21/2021 ms.reviewer: --- # Active Directory Security Groups **Applies to** -- Windows Server 2016 +- Windows Server 2016 or later +- Windows 10 or later This reference topic for the IT professional describes the default Active Directory security groups. From a811de340bd5ca74bf50ad4b46e5a68a292d3267 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Tue, 21 Sep 2021 14:29:35 -0700 Subject: [PATCH 38/38] Corrected the minversion's since cscript/wscript do not follow typical win10 bin versions --- .../microsoft-recommended-block-rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 0365837d1b..d9e8974465 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -151,7 +151,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -181,7 +181,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - +